I had to add this to my puppet conf files for the master section. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY
The one error you see from generating the cert is fine because its trying to delete the non-existent CSR, which is because you generated. On Sat, Mar 5, 2011 at 6:06 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote: > I guess it's the tweaks fo 2.6" that I must be missing... > Here is my process: > > On puppetmaster1: > > sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl > sudo puppet cert --generate --certdnsnames > puppet.uis.example.com:puppet.example.com:puppet > puppet-prod.uis.example.com > sudo puppet cert --generate --certdnsnames > puppet-test.uis.example.com:puppet-test.example.com:puppet-test > pirates.uis.example.com > > Note: these last two commands seem to work, even though they also > print an error: > > The first command for example prints this: > notice: Signed certificate request for ca > notice: Rebuilding inventory file > notice: puppet-prod.uis.example.com has a waiting certificate request > notice: Signed certificate request for puppet-prod.uis.example.com > notice: Removing file Puppet::SSL::CertificateRequest > puppet-prod.uis.example.com at > '/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem' > notice: Removing file Puppet::SSL::CertificateRequest > puppet-prod.uis.example.com at > '/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem' > err: Could not call generate: Could not find certificate request for > puppet-prod.uis.example.com > > Why is that? > > anyways, continuing, I edit puppet.conf to add: > > [master] > certname=puppet-prod.uis.example.com > ca=true > > Now starting puppet master seems to work fine, no errors. > > Now, on puppetmaster2: > > sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl > > copy these thre files from puppetmaster1, to puppetmaster2 > > /var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem > /var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem > /var/lib/puppet/ssl/ca/ca_crt.pem > > I put the certs in /var/lib/puppet/ssl/certs and the key in > /var/lib/puppet/ssl/private_keys > > Edit puppet.conf to have: > [master] > certname=pirates.uis.example.com > ca=false > ca_server=puppet-prod.uis.example.com > > > Now starting the puppet master fails with error: > > Could not run: Could not retrieve certificate for > pirates.uis.example.com and not running on a valid certificate > authority > > What am I doing wrong? > > Thanks, > Mohamed. > > > > On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black <mjbl...@gmail.com> wrote: > > That process still works, but you need to have a CA puppet master, a > non-CA > > puppet master, and one client for that to work. The client needs to be > told > > where the CA server is though which in that link tells you how to update > the > > puppet.conf. > > I use this process and it works great, there was some tweaking needing > for > > it to work for 2.6 > > > > > > > > > > On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote: > >> > >> I just run into the same issue... I was trying to follow this > >> procedure: http://bodepd.com/wordpress/?p=7 > >> > >> My goal is to be able to run my nodes against either of two > >> puppetmasters.... > >> > >> My first master starts fine, but the second dies with this same error: > >> > >> Could not run: Could not retrieve certificate for <puppetmaster-fqdn> > >> and not running on a valid certificate authority > >> > >> Is the procedure outdated? Is it supposed to work with puppet 2.6 ? > >> > >> Thanks, > >> Mohamed. > >> > >> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yu...@gmail.com> wrote: > >> > Hi Experts, > >> > > >> > I'm trying to generate my own certificates (all of them, including > certs > >> > for > >> > CA, server and client) for puppet to use. > >> > > >> > and I'm getting "Could not run: Could not retrieve certificate for > >> > puppetsrv > >> > and not running on a valid certificate authority" > >> > > >> > Just wondering what the problem could be? > >> > > >> > What I did is: > >> > > >> > 1. generate a self signed CA cert, and save the files to ca.crt, > ca.prk, > >> > ca.puk, ca.pass. > >> > 2. generate a keypair, request, then sign with the above CA and save > the > >> > files ssldir/public_keys/puppetsrv.pem, > >> > ssldir/private_keys/puppetsrv.pem, > >> > ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem > >> > (All certs work fine with openssl verify) > >> > 3. Puppet configuration file: > >> > ca = false > >> > cakey=$ssldir/ca.prk > >> > passfile=$ssldir/ca.pass > >> > cacert=$ssldir/ca.crt > >> > capub=$ssldir/ca.puk > >> > 4. run puppet master: > >> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname > >> > puppetsrv > >> > > >> > Full log (added some breakpoints and printed some tracebacks): > >> > debug: Failed to load library 'selinux' for feature 'selinux' > >> > debug: Failed to load library 'ldap' for feature 'ldap' > >> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring > >> > File[/opt/cloudcrv/confpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]: > >> > Autorequiring > >> > File[/opt/cloudcrv/varpuppet/run] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]: > >> > Autorequiring > >> > File[/opt/cloudcrv/varpuppet/ssl/certs] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet/ssl] > >> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: > Autorequiring > >> > File[/opt/cloudcrv/varpuppet/log] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring > >> > File[/opt/cloudcrv/confpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]: > >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl] > >> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring > >> > File[/opt/cloudcrv/confpuppet] > >> > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring > >> > File[/opt/cloudcrv/confpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]: > >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys] > >> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet/ssl] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet/ssl] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet/ssl] > >> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring > >> > File[/opt/cloudcrv/varpuppet] > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s) > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode > >> > changed > >> > '755' to '750' > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s) > >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created > >> > debug: Finishing transaction 70044884792200 with 2 changes > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate' > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost' > >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/sbin/puppetmasterd:66 > >> > Puppet::SSL::Certificate > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173 > >> > ) > >> > (rdb:1) p Certificate.find("puppetsrv") > >> > #<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv", > >> > @content=#<OpenSSL::X509::Certificate > >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National > >> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence > >> > Berkeley > >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 > UTC > >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>> > >> > (rdb:1) p Certificate.find("ca") > >> > nil > >> > (rdb:1) c > >> > info: Creating a new SSL key for puppetsrv > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate' > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate' > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value' > >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost' > >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/sbin/puppetmasterd:66 > >> > Puppet::SSL::Certificate > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173 > >> > ) > >> > (rdb:1) p Certificate.find("ca") > >> > nil > >> > (rdb:1) p Certificate.find("puppetsrv") > >> > #<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv", > >> > @content=#<OpenSSL::X509::Certificate > >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National > >> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence > >> > Berkeley > >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 > UTC > >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>> > >> > (rdb:1) p key > >> > #<Puppet::SSL::Key:0x7f6930ce5810 > >> > @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass", > @name="puppetsrv", > >> > @content=-----BEGIN RSA PRIVATE KEY----- > >> > MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X > >> > UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk > >> > tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB > >> > AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By > >> > lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0 > >> > T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu > >> > OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW > >> > EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv > >> > uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb > >> > Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x > >> > eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4 > >> > vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6 > >> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec= > >> > -----END RSA PRIVATE KEY----- > >> >> > >> > (rdb:1) c > >> > CertificateAuthority.ca = > >> > notice: Starting Puppet server version 0.25.4 > >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in `setup_ssl' > >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen' > >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen' > >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start' > >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start' > >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/sbin/puppetmasterd:66 > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate' > >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in `setup_ssl' > >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen' > >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen' > >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start' > >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start' > >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send' > >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail' > >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run' > >> > /usr/sbin/puppetmasterd:66 > >> > Puppet::SSL::Certificate > >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173 > >> > ) > >> > (rdb:1) c > >> > Could not run: Could not retrieve certificate for puppetsrv and not > >> > running > >> > on a valid certificate authority > >> > > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To post to this group, send email to puppet-users@googlegroups.com. > >> > To unsubscribe from this group, send email to > >> > puppet-users+unsubscr...@googlegroups.com. > >> > For more options, visit this group at > >> > http://groups.google.com/group/puppet-users?hl=en. > >> > > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.