I had to add this to my puppet conf files for the master section.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
The one error you see from generating the cert is fine because its trying to
delete the non-existent CSR, which is because you generated.
On Sat, Mar 5, 2011 at 6:06 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote:
> I guess it's the tweaks fo 2.6" that I must be missing...
> Here is my process:
>
> On puppetmaster1:
>
> sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
> sudo puppet cert --generate --certdnsnames
> puppet.uis.example.com:puppet.example.com:puppet
> puppet-prod.uis.example.com
> sudo puppet cert --generate --certdnsnames
> puppet-test.uis.example.com:puppet-test.example.com:puppet-test
> pirates.uis.example.com
>
> Note: these last two commands seem to work, even though they also
> print an error:
>
> The first command for example prints this:
> notice: Signed certificate request for ca
> notice: Rebuilding inventory file
> notice: puppet-prod.uis.example.com has a waiting certificate request
> notice: Signed certificate request for puppet-prod.uis.example.com
> notice: Removing file Puppet::SSL::CertificateRequest
> puppet-prod.uis.example.com at
> '/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem'
> notice: Removing file Puppet::SSL::CertificateRequest
> puppet-prod.uis.example.com at
> '/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem'
> err: Could not call generate: Could not find certificate request for
> puppet-prod.uis.example.com
>
> Why is that?
>
> anyways, continuing, I edit puppet.conf to add:
>
> [master]
> certname=puppet-prod.uis.example.com
> ca=true
>
> Now starting puppet master seems to work fine, no errors.
>
> Now, on puppetmaster2:
>
> sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
>
> copy these thre files from puppetmaster1, to puppetmaster2
>
> /var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem
> /var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem
> /var/lib/puppet/ssl/ca/ca_crt.pem
>
> I put the certs in /var/lib/puppet/ssl/certs and the key in
> /var/lib/puppet/ssl/private_keys
>
> Edit puppet.conf to have:
> [master]
> certname=pirates.uis.example.com
> ca=false
> ca_server=puppet-prod.uis.example.com
>
>
> Now starting the puppet master fails with error:
>
> Could not run: Could not retrieve certificate for
> pirates.uis.example.com and not running on a valid certificate
> authority
>
> What am I doing wrong?
>
> Thanks,
> Mohamed.
>
>
>
> On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black <mjbl...@gmail.com> wrote:
> > That process still works, but you need to have a CA puppet master, a
> non-CA
> > puppet master, and one client for that to work. The client needs to be
> told
> > where the CA server is though which in that link tells you how to update
> the
> > puppet.conf.
> > I use this process and it works great, there was some tweaking needing
> for
> > it to work for 2.6
> >
> >
> >
> >
> > On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote:
> >>
> >> I just run into the same issue... I was trying to follow this
> >> procedure: http://bodepd.com/wordpress/?p=7
> >>
> >> My goal is to be able to run my nodes against either of two
> >> puppetmasters....
> >>
> >> My first master starts fine, but the second dies with this same error:
> >>
> >> Could not run: Could not retrieve certificate for <puppetmaster-fqdn>
> >> and not running on a valid certificate authority
> >>
> >> Is the procedure outdated? Is it supposed to work with puppet 2.6 ?
> >>
> >> Thanks,
> >> Mohamed.
> >>
> >> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yu...@gmail.com> wrote:
> >> > Hi Experts,
> >> >
> >> > I'm trying to generate my own certificates (all of them, including
> certs
> >> > for
> >> > CA, server and client) for puppet to use.
> >> >
> >> > and I'm getting "Could not run: Could not retrieve certificate for
> >> > puppetsrv
> >> > and not running on a valid certificate authority"
> >> >
> >> > Just wondering what the problem could be?
> >> >
> >> > What I did is:
> >> >
> >> > 1. generate a self signed CA cert, and save the files to ca.crt,
> ca.prk,
> >> > ca.puk, ca.pass.
> >> > 2. generate a keypair, request, then sign with the above CA and save
> the
> >> > files ssldir/public_keys/puppetsrv.pem,
> >> > ssldir/private_keys/puppetsrv.pem,
> >> > ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
> >> > (All certs work fine with openssl verify)
> >> > 3. Puppet configuration file:
> >> > ca = false
> >> > cakey=$ssldir/ca.prk
> >> > passfile=$ssldir/ca.pass
> >> > cacert=$ssldir/ca.crt
> >> > capub=$ssldir/ca.puk
> >> > 4. run puppet master:
> >> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
> >> > puppetsrv
> >> >
> >> > Full log (added some breakpoints and printed some tracebacks):
> >> > debug: Failed to load library 'selinux' for feature 'selinux'
> >> > debug: Failed to load library 'ldap' for feature 'ldap'
> >> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]:
> >> > Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/run]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
> >> > Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl/certs]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]:
> Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/log]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
> >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
> >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
> >> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode
> >> > changed
> >> > '755' to '750'
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
> >> > debug: Finishing transaction 70044884792200 with 2 changes
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) p Certificate.find("puppetsrv")
> >> > #<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv",
> >> > @content=#<OpenSSL::X509::Certificate
> >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> >> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> >> > Berkeley
> >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23
> UTC
> >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> >> > (rdb:1) p Certificate.find("ca")
> >> > nil
> >> > (rdb:1) c
> >> > info: Creating a new SSL key for puppetsrv
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate'
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) p Certificate.find("ca")
> >> > nil
> >> > (rdb:1) p Certificate.find("puppetsrv")
> >> > #<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv",
> >> > @content=#<OpenSSL::X509::Certificate
> >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> >> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> >> > Berkeley
> >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23
> UTC
> >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> >> > (rdb:1) p key
> >> > #<Puppet::SSL::Key:0x7f6930ce5810
> >> > @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
> @name="puppetsrv",
> >> > @content=-----BEGIN RSA PRIVATE KEY-----
> >> > MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
> >> > UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
> >> > tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
> >> > AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
> >> > lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
> >> > T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
> >> > OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
> >> > EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
> >> > uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
> >> > Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
> >> > eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
> >> > vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
> >> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec=
> >> > -----END RSA PRIVATE KEY-----
> >> >>
> >> > (rdb:1) c
> >> > CertificateAuthority.ca =
> >> > notice: Starting Puppet server version 0.25.4
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in `setup_ssl'
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
> >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/sbin/puppetmasterd:66
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in `setup_ssl'
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
> >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) c
> >> > Could not run: Could not retrieve certificate for puppetsrv and not
> >> > running
> >> > on a valid certificate authority
> >> >
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to puppet-users@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscr...@googlegroups.com.
> >> > For more options, visit this group at
> >> > http://groups.google.com/group/puppet-users?hl=en.
> >> >
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscr...@googlegroups.com.
> >> For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
> >>
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
