I'm running a two headed puppetmaster and have disabled crl's. Let's
call them the primary and the secondary. The primary and secondary
both use the primary as their master. The secondary only is used when
the primary isn't responding (I wrap the puppetd call in cron with a
short shell script)
I'm managing these ca files on the masters, pushing them with puppet itself...
$ grep file\ { certs.pp
file { "/var/lib/puppet/ssl/ca/ca_crt.pem":
file { "/var/lib/puppet/ssl/ca/ca_key.pem":
file { "/var/lib/puppet/ssl/ca/private/ca.pass":
file { "/var/lib/puppet/ssl/certs/ca.pem":
file { "/var/lib/puppet/ssl/ca/ca_crl.pem": (ensures absent, we
don't need them in our environment.)
Then, in order to generate the ssl certs for the webservice, I generate this:
# If this isn't working, try puppet cert clean $::fqdn first
exec {"/usr/bin/puppet cert --generate --certdnsnames $aliases $::fqdn":
creates => ["/var/lib/puppet/ssl/certs/${::fqdn}.pem",
"/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
"/var/lib/puppet/ssl/public_keys/${::fqdn}.pem",
"/var/lib/puppet/ssl/ca/signed/${::fqdn}.pem",
],
user => root,
notify => Service['httpd'],
}
I create these manually so I can pass the --certdnsnames $aliases for
the puppetmaster DNS cname.
This seems to work fine for the primary. But when the secondary tries
to run against the primary, it fails with
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
verify failed Could not retrieve file metadata for
puppet://<primary>/plugins: certificate verify failed
I would think that the certs would be good because I generate them
with the exact same CA's as the primary. If I remove the certs and go
through a normal signing process, it works. It is only when I use
puppet cert --generate on the secondary do the certs fail.
I'm almost considering running puppet cert --generate with --ssldir to
point it someplace else to generate certs with cnames ONLY for the web
server (apache), and then have another set of certs in the normal
place generated for client/master signing.
But it is bothering me that I don't understand what is going on. How
does signing work?
My impression is that the client connects to the SSL port on the
master, verifies that the SSL keys are good (validates against
/var/lib/puppet/ssl/certs/ca.pem for authenticity and verifies it has
the right hostname signed (or aliased)).
What happens next? Does the client present a cert also signed by the
CA to prove it is allowed to perform queries?
What's the cleanest way around this?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
