I guess it's the tweaks fo 2.6" that I must be missing...
Here is my process:
On puppetmaster1:
sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
sudo puppet cert --generate --certdnsnames
puppet.uis.example.com:puppet.example.com:puppet
puppet-prod.uis.example.com
sudo puppet cert --generate --certdnsnames
puppet-test.uis.example.com:puppet-test.example.com:puppet-test
pirates.uis.example.com
Note: these last two commands seem to work, even though they also
print an error:
The first command for example prints this:
notice: Signed certificate request for ca
notice: Rebuilding inventory file
notice: puppet-prod.uis.example.com has a waiting certificate request
notice: Signed certificate request for puppet-prod.uis.example.com
notice: Removing file Puppet::SSL::CertificateRequest
puppet-prod.uis.example.com at
'/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest
puppet-prod.uis.example.com at
'/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem'
err: Could not call generate: Could not find certificate request for
puppet-prod.uis.example.com
Why is that?
anyways, continuing, I edit puppet.conf to add:
[master]
certname=puppet-prod.uis.example.com
ca=true
Now starting puppet master seems to work fine, no errors.
Now, on puppetmaster2:
sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
copy these thre files from puppetmaster1, to puppetmaster2
/var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem
/var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem
/var/lib/puppet/ssl/ca/ca_crt.pem
I put the certs in /var/lib/puppet/ssl/certs and the key in
/var/lib/puppet/ssl/private_keys
Edit puppet.conf to have:
[master]
certname=pirates.uis.example.com
ca=false
ca_server=puppet-prod.uis.example.com
Now starting the puppet master fails with error:
Could not run: Could not retrieve certificate for
pirates.uis.example.com and not running on a valid certificate
authority
What am I doing wrong?
Thanks,
Mohamed.
On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black <mjbl...@gmail.com> wrote:
> That process still works, but you need to have a CA puppet master, a non-CA
> puppet master, and one client for that to work. The client needs to be told
> where the CA server is though which in that link tells you how to update the
> puppet.conf.
> I use this process and it works great, there was some tweaking needing for
> it to work for 2.6
>
>
>
>
> On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote:
>>
>> I just run into the same issue... I was trying to follow this
>> procedure: http://bodepd.com/wordpress/?p=7
>>
>> My goal is to be able to run my nodes against either of two
>> puppetmasters....
>>
>> My first master starts fine, but the second dies with this same error:
>>
>> Could not run: Could not retrieve certificate for <puppetmaster-fqdn>
>> and not running on a valid certificate authority
>>
>> Is the procedure outdated? Is it supposed to work with puppet 2.6 ?
>>
>> Thanks,
>> Mohamed.
>>
>> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yu...@gmail.com> wrote:
>> > Hi Experts,
>> >
>> > I'm trying to generate my own certificates (all of them, including certs
>> > for
>> > CA, server and client) for puppet to use.
>> >
>> > and I'm getting "Could not run: Could not retrieve certificate for
>> > puppetsrv
>> > and not running on a valid certificate authority"
>> >
>> > Just wondering what the problem could be?
>> >
>> > What I did is:
>> >
>> > 1. generate a self signed CA cert, and save the files to ca.crt, ca.prk,
>> > ca.puk, ca.pass.
>> > 2. generate a keypair, request, then sign with the above CA and save the
>> > files ssldir/public_keys/puppetsrv.pem,
>> > ssldir/private_keys/puppetsrv.pem,
>> > ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
>> > (All certs work fine with openssl verify)
>> > 3. Puppet configuration file:
>> > ca = false
>> > cakey=$ssldir/ca.prk
>> > passfile=$ssldir/ca.pass
>> > cacert=$ssldir/ca.crt
>> > capub=$ssldir/ca.puk
>> > 4. run puppet master:
>> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
>> > puppetsrv
>> >
>> > Full log (added some breakpoints and printed some tracebacks):
>> > debug: Failed to load library 'selinux' for feature 'selinux'
>> > debug: Failed to load library 'ldap' for feature 'ldap'
>> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]:
>> > Autorequiring
>> > File[/opt/cloudcrv/varpuppet/run]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
>> > Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl/certs]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/log]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
>> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
>> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
>> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode
>> > changed
>> > '755' to '750'
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
>> > debug: Finishing transaction 70044884792200 with 2 changes
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) p Certificate.find("puppetsrv")
>> > #<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv",
>> > @content=#<OpenSSL::X509::Certificate
>> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
>> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
>> > Berkeley
>> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
>> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
>> > (rdb:1) p Certificate.find("ca")
>> > nil
>> > (rdb:1) c
>> > info: Creating a new SSL key for puppetsrv
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate'
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) p Certificate.find("ca")
>> > nil
>> > (rdb:1) p Certificate.find("puppetsrv")
>> > #<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv",
>> > @content=#<OpenSSL::X509::Certificate
>> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
>> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
>> > Berkeley
>> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
>> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
>> > (rdb:1) p key
>> > #<Puppet::SSL::Key:0x7f6930ce5810
>> > @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass", @name="puppetsrv",
>> > @content=-----BEGIN RSA PRIVATE KEY-----
>> > MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
>> > UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
>> > tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
>> > AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
>> > lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
>> > T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
>> > OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
>> > EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
>> > uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
>> > Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
>> > eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
>> > vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
>> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec=
>> > -----END RSA PRIVATE KEY-----
>> >>
>> > (rdb:1) c
>> > CertificateAuthority.ca =
>> > notice: Starting Puppet server version 0.25.4
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in `setup_ssl'
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
>> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/sbin/puppetmasterd:66
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in `setup_ssl'
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
>> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) c
>> > Could not run: Could not retrieve certificate for puppetsrv and not
>> > running
>> > on a valid certificate authority
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscr...@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/puppet-users?hl=en.
>> >
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
