Hey Johan,
SSL_VERIFY trips up a few people, I need better docs on that.
When you connect to PuppetDB as a client you need to present two things, a
private key and a public key signed by the Certificate Authority that also
signed the server certificate of PuppetDB. This in all likeliness is your
Puppet CA and it looks like you're passing on those certs correctly.
However, since we're connecting over SSL to PuppetDB, PuppetDB itself also
presents us with a server certificate, again signed by the Puppet CA. This
is what SSL_VERIFY governs, wether we want to verify that the certificate
PuppetDB presents us with is signed by a CA we trust.
When SSL_VERIFY is set to True pypuppetdb/Puppetboard will try to use your
OS truststore, /etc/ssl/ca-certificates usually, to verify that PuppetDB's
server certificate is signed by a CA we know. Since in all likelihood you
haven't added your Puppet CA to this truststore verification will fail and
this is why you get the error.
You have two choices now, set SSL_VERIFY to False and trust that you're
always talking to your actual PuppetDB or copy from the Puppet CA
$vardir/ssl/ca_crt.pem to /etc/puppetboard and set SSL_VERIFY to the path
of ca_crt.pem. In that case the file SSL_VERIFY points to will be used to
verify PuppetDB's server certificate instead of the OS truststore.
I hope this fixes the issue for you.
--
Daniele Sluijters
On Monday, 10 February 2014 20:16:51 UTC+1, Johan De Wit wrote:
>
> Daniele,
>
> It was not the typo. But it seems the ssl_verify=True did the bad thing.
>
> >>> db = connect(host='puppet.koewacht.net
> ',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=True,timeout=20)
> >>> nodes = db.nodes()
> >>> for node in nodes:
> ... print(node)
> ...
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> File "/usr/lib/python2.6/site-packages/pypuppetdb/api/v3.py", line 55,
> in nodes
> nodes = self._query('nodes', path=name, query=query)
> File "/usr/lib/python2.6/site-packages/pypuppetdb/api/__init__.py", line
> 266, in _query
> timeout=self.timeout)
> File "/usr/lib/python2.6/site-packages/requests/api.py", line 55, in get
> return request('get', url, **kwargs)
> File "/usr/lib/python2.6/site-packages/requests/api.py", line 44, in
> request
> return session.request(method=method, url=url, **kwargs)
> File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 383,
> in request
> resp = self.send(prep, **send_kwargs)
> File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 486,
> in send
> r = adapter.send(request, **kwargs)
> File "/usr/lib/python2.6/site-packages/requests/adapters.py", line 385,
> in send
> raise SSLError(e)
> requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >>> db = connect(host='puppet.koewacht.net
> ',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=False,timeout=20)
> >>> nodes = db.nodes()
> >>> for node in nodes:
> ... print(node)
> ...
> fc19.koewacht.net
> laptopfc18.koewacht.net
> puppetboard
> puppet.koewacht.net
>
>
> the working config :
>
> PUPPETDB_HOST = 'puppet.koewacht.net'
> PUPPETDB_PORT = 8081
> PUPPETDB_SSL_VERIFY = False
> PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
> PUPPETDB_CERT ='/etc/puppetboard/pb_pub.pem'
> PUPPETDB_TIMEOUT = 20
> DEV_LISTEN_HOST = '127.0.0.1'
> DEV_LISTEN_PORT = 5000
> UNRESPONSIVE_HOURS = 2
> ENABLE_QUERY = True
> LOGLEVEL = 'debug'
>
> Grts
>
> Johan
>
>
> On 02/10/2014 04:01 PM, Johan De Wit wrote:
>
> Daniele,
>
> I should create an alias pupept=puppet :)
>
> I will test this further this evening, but seems logic the typo did it
> (well broke it)
> On 02/10/2014 03:48 PM, Johan De Wit wrote:
>
> Hoi Daniele,
>
> /var/www/puppetboard/settings.py
>
> PUPPETDB_HOST = 'puppet.koewacht.net'
> PUPPETDB_PORT = 8080
> #PUPPETDB_SSL_VERIFY = True
> #PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
> #PUPPETDB_CERT ='/etc/pupeptboard/pb_pub.pem'
> PUPPETDB_TIMEOUT = 20
> DEV_LISTEN_HOST = '127.0.0.1'
> DEV_LISTEN_PORT = 5000
> UNRESPONSIVE_HOURS = 2
> ENABLE_QUERY = True
> LOGLEVEL = 'info'
>
>
> ls -l /etc/puppetboard/ssl
>
> [root@centos65 puppetboard]# ls -l /etc/puppetboard/
> total 8
> -rw-r----- 1 apache apache 3247 Feb 8 12:30 pb_priv.pem
> -rw-r----- 1 apache apache 1895 Feb 8 12:31 pb_pub.pem
>
> I assume the pythin code is executed as apache, as given in the vhost
> definition :
>
> <VirtualHost *:80>
> ServerName puppetboard.koewacht.net
> WSGIDaemonProcess puppetboard user=apache group=apache threads=5
> WSGIScriptAlias / /var/www/puppetboard/wsgi.py
> ErrorLog /var/log/httpd/puppetboard.error.log
> CustomLog /var/log/httpd/puppetboard.access.log combined
>
> Alias /static /usr/lib/python2.6/site-packages/puppetboard/static
>
> <Directory /usr/lib/python2.6/site-packages/puppetboard>
> WSGIProcessGroup puppetboard
> WSGIApplicationGroup %{GLOBAL}
> Order deny,allow
> Allow from all
> </Directory>
> </VirtualHost>
>
> Thx for puppetboard ..
>
> Johan
>
> On 02/10/2014 02:34 PM, Daniele Sluijters wrote:
>
> Hey,
>
> It should work, Puppetboard is supposed to just pass in the settings to
> pypuppetdb so unless we really screwed up somewhere that shouldn't be the
> issue.
>
> Can you show me your settings.py file?
>
> --
> Daniele Sluijters
>
> On Saturday, 8 February 2014 23:35:43 UTC+1, Johan De Wit wrote:
>>
>> Hi,
>>
>> Has anyone configured puppetboard to use SSL to connect to the puppetdb
>> server ?
>>
>> puppetboard runs on a dedicated server, puppetdb on my puppetmaster.
>>
>> Using plain http, on 8080, everything works.
>>
>> When i configure puppetboard for https, I get always
>> ERROR:pypuppetdb.api:Could not reach PuppetDB on
>> puppet.koewacht.net:8081 over HTTPS.
>>
>> doing the same with pypuppetdb, in a python shell, it works,
>>
>> as teh apache user, to rule out permission problems.
>>
>>
>> >>> from pypuppetdb import connect
>> >>> db = connect(host='puppet.koewacht.net', port=8081,
>> ssl_key='/etc/puppetboard/pb_priv.pem',
>> ssl_cert='/etc/puppetboard/pb_pub.pem')
>> >>> nodes = db.nodes()
>> >>> for node in nodes:
>> ... print(node)
>> ...
>> fc19.koewacht.net
>> laptopfc18.koewacht.net
>> puppetboard
>> puppet.koewacht.net
>>
>> Just looking to see if it is some setting I oversee, or I have to delve
>> in the code ..
>>
>> Grts
>>
>> Johan
>>
>> --
>> Johan De Wit
>>
>> Open Source Consultant
>>
>> Red Hat Certified Engineer /etc/pupeptboard/pb_pub.pem
>> (805008667232363)
>> Puppet Certified Professional 2013 (PCP0000006)
>> _________________________________________________________
>>
>> Open-Future Phone +32 (0)2/255 70 70
>> Zavelstraat 72 Fax +32 (0)2/255 70 71
>> 3071 KORTENBERG Mobile +32 (0)474/42 40 73
>> BELGIUM http://www.open-future.be
>> _________________________________________________________
>>
>>
>> Next Events:
>> Puppet Fundamentals Training |
>> http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
>> Puppet Intruction Course |
>> http://www.open-future.be/puppet-introduction-course-7th-february
>> Zabbix Certified Training |
>> http://www.open-future.be/zabbix-certified-training-10-till-12th-february
>> Zabbix for Large Environments Training |
>> http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
>>
>> Subscribe to our newsletter | http://eepurl.com/BUG8H
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/25d1898e-1f95-4645-95cc-5c503e9c6236%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
> Johan De Wit
>
> Open Source Consultant
>
> Red Hat Certified Engineer (805008667232363)
> Puppet Certified Professional 2013 (PCP0000006)
> _________________________________________________________
>
> Open-Future Phone +32 (0)2/255 70 70
> Zavelstraat 72 Fax +32 (0)2/255 70 71
> 3071 KORTENBERG Mobile +32 (0)474/42 40 73
> BELGIUM http://www.open-future.be
> _________________________________________________________
>
>
>
> Upcoming Events:
>
> Puppet Fundamentals Training |
> http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
>
> Puppet Introduction Course |
> http://www.open-future.be/puppet-introduction-course-7th-february
>
> Zabbix Certified Training |
> http://www.open-future.be/zabbix-certified-training-10-till-12th-february
>
> Zabbix for Large Environments Training |
> http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
>
> Subscribe to our newsletter: http://eepurl.com/BUG8H
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/52F8E6D8.1050101%40open-future.be
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
> Johan De Wit
>
> Open Source Consultant
>
> Red Hat Certified Engineer (805008667232363)
> Puppet Certified Professional 2013 (PCP0000006)
> _________________________________________________________
>
> Open-Future Phone +32 (0)2/255 70 70
> Zavelstraat 72 Fax +32 (0)2/255 70 71
> 3071 KORTENBERG Mobile +32 (0)474/42 40 73
> BELGIUM http://www.open-future.be
> _________________________________________________________
>
>
>
> Upcoming Events:
>
> Puppet Fundamentals Training |
> http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
>
> Puppet Introduction Course |
> http://www.open-future.be/puppet-introduction-course-7th-february
>
> Zabbix Certified Training |
> http://www.open-future.be/zabbix-certified-training-10-till-12th-february
>
> Zabbix for Large Environments Training |
> http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
>
> Subscribe to our newsletter: http://eepurl.com/BUG8H
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/52F8E9D3.2000706%40open-future.be
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
> Johan De Wit
>
> Open Source Consultant
>
> Red Hat Certified Engineer (805008667232363)
> Puppet Certified Professional 2013 (PCP0000006)
> _________________________________________________________
>
> Open-Future Phone +32 (0)2/255 70 70
> Zavelstraat 72 Fax +32 (0)2/255 70 71
> 3071 KORTENBERG Mobile +32 (0)474/42 40 73
> BELGIUM http://www.open-future.be
> _________________________________________________________
>
>
>
> Upcoming Events:
>
> Puppet Fundamentals Training |
> http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
>
> Puppet Introduction Course |
> http://www.open-future.be/puppet-introduction-course-7th-february
>
> Zabbix Certified Training |
> http://www.open-future.be/zabbix-certified-training-10-till-12th-february
>
> Zabbix for Large Environments Training |
> http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
>
> Subscribe to our newsletter: http://eepurl.com/BUG8H
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/368de200-f8b3-4a44-ac45-5324ef916095%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
