Hey,
I've been battling this all day so I hop some people over here have some
good ideas. I'm trying to set up a multi-master puppet environment with a
single CA.
This is what I've done so far:
* node 1, the CA:
* install puppetmaster
* stop it
* wipe `vardir/ssl`
* configure certname and dns_alt_names
* start it up
* node 2, an actual master that will handle requests but no CA:
* install puppetmaster
* stop it
* wipe `vardir/ssl`
* configure certname, dns_alt_names and ca_server to point to node1, set
ca=false in the [master] block and point server to itself
* do a puppet agent -t
* sign the CSR on node1
* get acknowledgement that node2 grabbed its cert from node1
Now I want to actually make the Puppet master on node2 usable. My Puppet
masters run in Passenger Standalone with an nginx in front of them proxying
the requests on port 8140 to them.
The complete SSL configuration in nginx now looks like this:
ssl on;
ssl_certificate ssl/puppetmaster/node2.pem; # this is
`vardir/ssl/certs/node2.pem`
ssl_certificate_key ssl/puppetmaster/node2.key; # this is
`vardir/ssl/private_keys/node2.pem`
ssl_client_certificate ssl/puppetmaster/ca.pem; # this is
`vardir/ssl/certs/ca.pem`
ssl_crl ssl/puppetmaster/crl.pem; # this was
copied from the master at `vardir/ssl/crl.pem`
ssl_verify_client on; #
since we do only master, no CA we can require a client certificate
location / {
[..] bunch of other proxy_set_header directives [..]
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
}
I started the Puppet master and reloaded the nginx for the configuration to
take effect.
First I tried to connect with openssl s_client:
root@node2 # openssl s_client -connect localhost:8140 -cert
/var/lib/puppet/ssl/certs/node2.pem -key
/var/lib/puppet/ssl/private_keys/node2.pem
CONNECTED(00000003)
depth=1 CN = Puppet CA: node1
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=node2
i:/CN=Puppet CA: node1
1 s:/CN=Puppet CA: node1
i:/CN=Puppet CA: node1
---
[..]
subject=/CN=node2
issuer=/CN=Puppet CA: node1
---
Acceptable client certificate CA names
/CN=Puppet CA: node1
---
SSL handshake has read 5314 bytes and written 2445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
[..]
Start Time: 1382622609
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
GET /production/node/node2
Forbidden request: node2l(10.120.12.73) access to /node/node2 [find] at
:115closed
This looks fine, It complains about the self-signed certificate in the
chain but other than that verify return = 0 which as far as I'm aware means
success. Once the handshake is complete I can actually do a GET for that
node but that seems to fail because of something in auth.conf, which is
slightly odd since the authentication succeeded so the ACL shouldn't trip
over it but that's step two (I'm probably forgetting to proxy/set a header).
Now, running `puppet agent -t` however gives me this:
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [certificate signature failure for /CN=node1]
At this point I'm lost. Ntpd's are running, nodes are within far less than
a second in sync of each other. Certificate is valid from yesterday to
yesterday in 2018 so I doubt that's an issue either. If it were the
`openssl s_client -connect` should have failed too but it's obviously
perfectly happy with it.
What am I missing here? I fear it's staring me in the face but I'm just not
seeing it.
--
Daniele Sluijters
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
