On Thu, Apr 16, 2015 at 04:23:40PM +0000, Peter Berghold wrote:
> Where I'm having the issue is on my master.
>
> To generate and sign a cert for the master I ran:
> puppet cert generate {hostname}.domain.tld --allow-dns-alt-names
>
> --dns_alt_names={hostname}.domain.tld,{hostname}-eth1.domain.tld,{hostname}.sub.domain.tld
> ,{hostname}-eth1.sub.domain.tld
> substituting {hostname} for the real hostname of the host
> domain.tld for the real domain name
> sub.domain.tld for a sub-domain that a client might use
> What I'm seeing happening is when running the puppet agent against itself
> I get the following errors:
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Failed to submit 'replace facts' command for {hostname}.domain.tld to
> PuppetDB at {hostname}.domain.tld:8081: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed: [unable
> to get local issuer certificate for /CN={hostname}.domain.tld]
This means that the puppetmaster's cert isn't signed by any ca cert known to
the agent, to my recollection.
I haven't specifically had your issue, but in my "bootstrap a new environment"
(from scratch/git) document I have this sentence for the first puppet apply:
"This run will have some errors due to how there is no CA certificate to be
used in the mcollective server configuration for this node given how the CA
doesn't exist yet. So we run it again!"
In the first "puppet apply" the agent or master haven't started yet so the
neither host cert nor ca cert are created yet. I am going somewhere with this;
maybe you can take advantage of how the master will (?) use cert parameters
from puppet.conf to kick off the initial signing.
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
> This after stopping and restarting both the puppetmaster and puppetdb
> services.
> I decided to poke a bit further and found if I ran openssl verfiy on the
> certificate for the puppet master I got
> {hostname}.domain.tld.pem: CN = {hostname}.domain.tld
> error 20 at 0 depth lookup:unable to get local issuer certificate
> however if I do openssl verify specifying a CA cert things look good.
> {hostname}.domain.tld.pem OK
> So where do I go from here? I"m certain this has been solved before.
I cheated. I submitted a cert request from another host with all my
puppetmaster SANs and then manually copied it into place in all my
puppetmasters (not that many). So pm-ca1 has
/var/lib/puppet/ssl/certs/pmca1.me.com.pem, pm-worker1 has
/var/lib/puppet/ssl/certs/pm-worker1.me.com.pem, etc., which are the same by
md5sum. I was in a hurry, anyway all hosts are presenting a CA-signed cert.
Now that I know more about the process I might experiment to see if I could do
this more legitimately. What follows is unproven rhubarbing.
----------------------------------------
----------------------------------------
----------------------------------------
I would take the following steps (all on the CA puppetmaster, assuming you have
no other nodes built yet) and see how it goes. I could be wrong about any or
all of this.
I have the following assumptions:
/etc/puppet/puppet.conf is your puppetmaster's config
you have "ca = true" in your puppetmaster's config
you have no other nodes built yet
https://docs.puppetlabs.com/references/3.stable/configuration.html
0) halt all puppet-related daemons
1) remove /var/lib/puppet/ssl (nuking your CA and agent's ssl config)
2) add your SANs to puppet.conf under the master section
dns_alt_names =
{hostname}.domain.tld,{hostname}-eth1.domain.tld,{hostname}.sub.domain.tld,{hostname}-eth1.sub.domain.tld
(Maybe have to fiddle with this, does it go here or under another section?)
3) start your puppetmaster
I suspect it will create the CA, then submit the request but not sign it given
how 'puppet cert sign' won't sign a SAN cert by default.
4) manually sign the cert
puppet cert sign --allow-dns-alt-names yourcert.you.com
5) might have to restart the puppetmaster to get it to pick up its new cert
If the puppetmaster couldn't auto-sign its own cert the daemon may have bombed.
----------------------------------------
----------------------------------------
----------------------------------------
End untested rhubarbing! If it doesn't work, remember, you got it on the
internet for free.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [1]puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/CAArvnv38S%2BrK5qNvdpV0ZengYBk0ZWF_cnkNCUPNSTnk0cA82g%40mail.gmail.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users+unsubscr...@googlegroups.com
> 2.
> https://groups.google.com/d/msgid/puppet-users/CAArvnv38S%2BrK5qNvdpV0ZengYBk0ZWF_cnkNCUPNSTnk0cA82g%40mail.gmail.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20150416173325.GA15218%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.
