Hi, Like Dan's original post I am also installing onto Centos 7 and running puppet masterless to install my puppetserver and puppetdb.
Upon startup of the puppetserver service it correctly generates the required ssl files under /etc/puppetlabs/puppet/ssl When running a manual yum install puppetdb the ssl-setup script correctly identifies no ssl directory under /etc/puppetlabs/puppetdb and copies in the required files and updates the jetty.ini with the paths. I can then start puppetdb with no problems. However when running the same command through puppet using the puppetlabs/puppetdb community module the puppetdb is installed but the ssl files are not copied over and the jetty.ini isn't updated suggesting the ssl-setup isn't even being run or if it is I don't know where to look to confirm it ran but had an error. I am using: puppetserver version: 2.2.1 puppetdb version: 3.2.3 Any help would be greatly appreciated. Wes On Wednesday, October 14, 2015 at 12:39:38 PM UTC+1, Ken Barber wrote: > > On Tue, Oct 13, 2015 at 11:13 PM, Dan <[email protected] <javascript:>> > wrote: > > Excellent thanks guys that got me going on the right path looking at the > > certs. I'm using puppet apply to build the initial puppet master so the > > agent won't have executed when it gets to installing puppetdb so I'll > need > > to work around this somehow. > > > > Dan > > Use puppet cert generate to make the certs before building your master > perhaps? ie. take the step the master normally does for you out of > band, and do it yourself. afaik its own certificate generation steps > are totally reproducible. If you're building masters from scratch its > good to have control of this step anyway, since you often want to > manage the CA. > > > On Friday, 9 October 2015 21:01:00 UTC+1, Ken Barber wrote: > >> > >> On Fri, Oct 9, 2015 at 4:35 AM, Dan <[email protected]> wrote: > >> > Hi Wyatt, > >> > > >> > Thanks for the pointer! I found the full stack trace which gives a > >> > better > >> > error: > >> > > >> > I just need to workout how to configure the SSL configuration now. > >> > >> Try `puppetdb ssl-setup` on the command line. It requires that you've > >> done a full puppet agent run first, since it re-uses Puppet's SSL > >> certs/key files. Otherwise, you can create new ones manually using the > >> `puppet cert` tooling: > >> https://docs.puppetlabs.com/references/4.2.0/man/cert.html. Just be > >> mindful that normal SSL validation rules apply here with the > >> certificate hostnames. So you must match the real clients hostname, > >> much like a browser, or the client will reject the server. > >> > >> > > >> > > >> > 2015-10-09 20:28:24,184 INFO [p.p.pdb-routing] Starting PuppetDB, > >> > entering > >> > maintenance mode > >> > 2015-10-09 20:28:24,257 INFO [p.t.s.n.nrepl-service] nREPL service > >> > disabled, not starting > >> > 2015-10-09 20:28:24,258 INFO [p.t.s.w.jetty9-service] Starting web > >> > server(s). > >> > 2015-10-09 20:28:24,293 ERROR [p.t.internal] Error during service > >> > start!!! > >> > java.lang.IllegalArgumentException: Missing some SSL configuration; > must > >> > provide either :ssl-cert, :ssl-key, and :ssl-ca-cert, OR :truststore, > >> > :trust-password, :keystor > >> > e, and :key-password. > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28763$get_jks_keystore_config_BANG___28764$fn__28768.invoke(jetty9_config.clj:288) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28763$get_jks_keystore_config_BANG___28764.invoke(jetty9_config.clj:282) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28787$get_keystore_config_BANG___28788$fn__28789.invoke(jetty9_config.clj:307) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28787$get_keystore_config_BANG___28788.invoke(jetty9_config.clj:300) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28963$maybe_get_https_connector__28964$fn__28965.invoke(jetty9_config.clj:399) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28963$maybe_get_https_connector__28964.invoke(jetty9_config.clj:390) > > > >> > ~[na:na] > >> > at > >> > > >> > > puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval29004$maybe_add_https_connector__29005$fn__29006.invoke(jetty9_config.clj > > > >> > > >> > > >> > Thanks > >> > > >> > Dan > >> > > >> > On Friday, 9 October 2015 01:18:08 UTC+1, Wyatt Alt wrote: > >> >> > >> >> Hey Dan, > >> >> > >> >> I see the bottom of a java stacktrace in your log snippet there -- > >> >> could > >> >> you get the full stacktrace from journalctl and stick it in a gist? > >> >> > >> >> Wyatt > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > To view this discussion on the web visit > >> > > >> > > https://groups.google.com/d/msgid/puppet-users/03974e18-839d-4aab-bddc-f4c42a9928c7%40googlegroups.com. > > > >> > > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/puppet-users/b5e6cbdc-02c8-49a9-8d66-a0aa0373e85f%40googlegroups.com. > > > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/54460da4-07ab-4cbf-ac34-ba99b1ad1d8e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
