Hi list,
have an issue which I haven't been able to find a definitive answer
for after searching list.
I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so
this is not related to the new release. (running on F12/Centos5.5).
The puppetmaster works fine with my certificates using the internal
webrick server.
I've put apache and passenger in place and I get this difference in
the certificate chain, which I assume is my problem. Can this be
solved without regenerating all the certificates or is there something
I'm missing from my configs (puppet.conf refreshly generated with
puppetd --genconfig)?
## puppetmaster/webrick:
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(00000003)
depth=1 CN = au-mel-master-1.int.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
1 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
## puppet passenger/apache
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(00000003)
depth=1 CN = ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=ca
1 s:/CN=ca
i:/CN=ca
I have copy and pasted from the /usr/share/puppet/ext directories the
default configurations making slight changes depending on my setup.
[r...@au-mel-master-1 ~]# cat /etc/httpd/conf.d/puppetmasterd.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to
work with Pound.
# RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = "master"
# if you want debugging:
# ARGV << "--debug"
ARGV << "--rack"
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
The result from the puppetd run on a normally working client is:
sudo puppetd --test --verbose
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate': certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: certificate verify failed Could not retrieve file metadata
for puppet://puppet/plugins: certificate verify failed
info: Loading facts in nfs_home
info: Loading facts in nfs_home
err: Could not retrieve catalog from remote server: certificate verify
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
puppet.conf:
publickeydir = /etc/puppet/ssl/public_keys
authconfig = /etc/puppet/namespaceauth.conf
httplog = /var/lib/puppet/log/http.log
privatedir = /etc/puppet/ssl/private
libdir = /var/lib/puppet/lib
hostcert = /etc/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
pluginsource = puppet://puppet/plugins
localcacert = /etc/puppet/ssl/certs/ca.pem
factpath = /var/lib/puppet/lib/facter:/var/lib/puppet/facts
certdir = /etc/puppet/ssl/certs
rundir = /var/lib/puppet/run
requestdir = /etc/puppet/ssl/certificate_requests
passfile = /etc/puppet/ssl/private/password
hostprivkey = /etc/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
hostcrl = /etc/puppet/ssl/crl.pem
factdest = /var/lib/puppet/facts/
logdir = /var/lib/puppet/log
statedir = /var/lib/puppet/state
ssldir = /etc/puppet/ssl
genconfig = false
privatekeydir = /etc/puppet/ssl/private_keys
hostcsr = /etc/puppet/ssl/csr_au-mel-master-1.int.example.com.pem
plugindest = /var/lib/puppet/lib
hostpubkey = /etc/puppet/ssl/public_keys/au-mel-
master-1.int.example.com.pem
factsource = puppet://puppet/facts/
masterhttplog = /var/lib/puppet/log/masterhttp.log
storeconfigs = true
server_datadir = /var/lib/puppet/server_data
rrdinterval = 1800
manifest = /etc/puppet/manifests/site.pp
bucketdir = /var/lib/puppet/bucket
fileserverconfig = /etc/puppet/fileserver.conf
masterlog = /var/lib/puppet/log/puppetmaster.log
rest_authconfig = /etc/puppet/auth.conf
yamldir = /var/lib/puppet/yaml
reportdir = /var/lib/puppet/reports
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
rrddir = /var/lib/puppet/rrd
manifestdir = /etc/puppet/manifests
clientbucketdir = /var/lib/puppet/clientbucket
client_datadir = /var/lib/puppet/client_data
report_server = puppet
graphdir = /var/lib/puppet/state/graphs
ca_port = 8140
puppetdlockfile = /var/lib/puppet/state/puppetdlock
bindaddress = 0.0.0.0
splaylimit = 1800
statefile = /var/lib/puppet/state/state.yaml
classfile = /var/lib/puppet/state/classes.txt
config = /etc/puppet/puppet.conf
report_port = 8140
clientyamldir = /var/lib/puppet/client_yaml
reportserver = puppet
puppetdlog = /var/lib/puppet/log/puppetd.log
ca_server = puppet
pidfile = /var/lib/puppet/run/agent.pid
localconfig = /var/lib/puppet/state/localconfig
tagmap = /etc/puppet/tagmail.conf
csrdir = /etc/puppet/ssl/ca/requests
serial = /etc/puppet/ssl/ca/serial
cacert = /etc/puppet/ssl/ca/ca_crt.pem
cacrl = /etc/puppet/ssl/ca/ca_crl.pem
signeddir = /etc/puppet/ssl/ca/signed
autosign = /etc/puppet/autosign.conf
cert_inventory = /etc/puppet/ssl/ca/inventory.txt
ca_name = au-mel-master-1.int.example.com
cakey = /etc/puppet/ssl/ca/ca_key.pem
caprivatedir = /etc/puppet/ssl/ca/private
capass = /etc/puppet/ssl/ca/private/ca.pass
cadir = /etc/puppet/ssl/ca
capub = /etc/puppet/ssl/ca/ca_pub.pem
dblocation = /var/lib/puppet/state/clientconfigs.sqlite3
dbadapter =
dbpassword =
railslog = /var/lib/puppet/log/rails.log
dbmigrate = true
dbport =
templatedir = /var/lib/puppet/templates
Thanks.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
