[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
So I've cracked the initial problem and I can deploy an instance and auto configure puppet but I am still missing something, possibly a conceptual misunderstanding on my part. I spin up an aws instance with : puppet node_aws bootstrap --image ami-e1e8d395 --keyname puppet --login ubuntu --keyfile ~puppet.pem --puppetagent-certname new_certname_1 --region=eu-west-1 --type t1.micro -g webserver --server mypuppetserver.somewhere.com This fails with : notice: Waiting for SSH response ... Done notice: Installing Puppet ... notice: Puppet is now installed on: blahblah.eu-west-1.compute.amazonaws.com notice: No classification method selected notice: Signing certificate ... err: Signing certificate ... Failed err: Signing certificate error: Could not render to pson: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 35:39:B7:DD:19:0E:7A:D6:07:AE:6D:64:FF:2E:92:37 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean mypuppetserver.somewhere.com On the agent: rm -f /home/lj/.puppet/ssl/certs/mypuppetserver.somewhere.com.pem puppet agent -t However if I sign the certificate by hand on the puppet server : sudo puppetca -s new_certname_1 My client then (eventually) will update via puppet, so things are *almost* working, although the error is misleading. So here are my questions. 1) I obviously want to maintain a secure install so I want to sign the certificates. Should node_aws bootstrap be signing the certificates automatically (as it seems to be attempting to do)? Is it possible to create a certificate before bootstrapping the instance so that there is a certificate ready and waiting for the client? 2) I dont know the ip address or have a fqdn for the instances I am spinning up. I want to put some files on my clients. In fileserver.conf I am using the cert_name to control access e.g. [files] path /etc/puppet/files allow new_certname_1 I was surprised that this worked. Now heres where my conceptual understanding is failing me - since it seems every certname has to be unique (e.g. I cant just create a group controlled by the certificate name) how can I restrict access to the fileserver when provisioning new instances without manually modifying the fileserver.conf? 3) I should also ask - does a client need to be authenticated via its certificate before it will be given access to the fileserver? If so I assume I could then just use * since the certification requirement would reject uncertified clients. Sorry this is possibly a stupid question but it is not clear from the documentation but if so my second question is moot. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RZS1zkbF7scJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
And 5 minutes later I read the man page docs.puppetlabs.com/pe/2.0/cloudprovisioner_man_node_aws.html *"Note that any configuration parameter that's valid in the configuration file is also a valid long argument, although it may or may not be relevant to the present action. For example, server is a valid configuration parameter, so you can specify --server as an argument.". *I would normally feel really stupid, but I'm just too happy to have found that :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Q5g28CejCBMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] bootstrap aws instance - set server address in instance puppet.conf?
Hello, new user here. I'm trying to bootstrap an aws instance and need to change the server setting in puppet.conf on the client/instance that is created. Is there anyway to do this beyond modifying hosts post-hoc? puppet node_aws bootstrap --image ami-e1e8d395 --keyname mykey --login ubuntu --keyfile ~mykeyfile.pem --puppetagent-certname aws_server_test --region=eu-west-1 --type t1.micro -g webserver This provisions an instance but fails to register a cert request on the puppetmaster with : notice: Puppet is now installed on: blahblah.eu-west-1.compute.amazonaws.com notice: No classification method selected notice: Signing certificate ... err: Signing certificate ... Failed err: Signing certificate error: Could not render to pson: getaddrinfo: Name or service not known Checking the instances puppet.conf shows that the server config variable is set to "puppet" which I want to change to "myserver.somewhere.com". Now I dont know if this behaviour is a bug, I would have thought that since I'm running puppet from the master server, bootstrapping should be able to update the server variable correctly or there should at least be a command line option. I know I can run a script at somepoint and modify my hosts files but I'm trying to keep things automated and simple. What am I missing? I should also note, if I ssh into the created instance I can modify the puppet.conf file with the correct server name and a certificate request is issued which I can then sign. Any help.best practices greatly appreciated - lj. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QHVnlhPb5lUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Trouble using the dns_alt_names config option
DISCLAIMER: I've been using puppet for about 8 hours. Have you regenerated your ssl certificates by nuking the ssl dir *(e.g. sudo rm -rf /var/lib/puppet/ssl) and restarting puppetmaster? On Monday, July 2, 2012 2:59:10 PM UTC+1, Lorin Hochstein wrote: > > Hello: > > I'm trying to put a puppet master on an EC2 instance, and have it be > accessible to agentes using either its EC2 DNS name (e.g., > ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com) or a friendlier alias (e.g., > puppet.example.com). > > My /etc/puppet/puppet.conf looks like: > > [master] > certname=ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com > dns_alt_names=ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com, > puppet.example.com,puppet > > When I try to connect to puppet.example.com, I get the following error: > > Jun 29 20:57:58 precise32 puppet-agent[1178]: Could not send report: > Server hostname 'puppet.example.com' did not match server certificate; > expected one of ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com, DNS: > ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com, DNS:puppet, DNS: > puppet.example.com > > What are the possible sources for this error? It looks like it expects > puppet.example.com as a valid name, but 'puppet.example.com' isn't > matching against DNS:puppet.example.com (?) > > I'm running Puppet 2.7.11 on ubuntu precise (12.04). > > Also, is there any way for an agent to trust the puppet master using only > a certificate instead of relying on DNS? > > Lorin > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/E_YgseqmvuYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.