[Puppet Users] Certificates when upgrading from Community to Enterprise
We are about to move from the community edition of Puppet to enterprise. Can I just copy the ssl directory to /etc/puppetlabs or will I need to recertify all the nodes? Thanks, John John Kennedy (_8(|) I have a yellow dog: http://www.theyellowdogproject.com/The_Yellow_Dog_Project/About.html Sometimes it happens, sometimes it doesn't - Pedro Catacora Anatidaephobia is the fear that somehow, somewhere a duck is watching you - urbandictionary.com The Dunning-Kruger effect occurs when incompetent people not only fail to realize their incompetence, but consider themselves much more competent than everyone else. Basically - they're too stupid to know that they're stupid. VGSR Disclaimer: The opinions expressed in this email are mine and do not reflect the opinions of VGSR or their board of directors. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAD6OLfy_ATMvZyWjeqcxzKkrvn4HqsqAhMB7S12%3DCrx%3DBXhJNQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] certificates being 'randomly' revoked
Hi, I've been having issues with certificates being revoked without any human intervention or oversight; one day a node will try to do an update and it can't because its certificate is revoked. There is definitely no one issuing 'puppet cert clean nodename' on the commandline. puppet --version 3.4.3 any ideas? Is there some automated process that 'cleans' and revokes nodes that are 'too old'? I'd like to have control over this and have absolutely no automated system revoking certificates at all. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/24b88297-247c-4da4-818d-e6cd5f7d4a34%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] certificates
On Mon, Mar 22, 2010 at 11:39 AM, Michael DeHaan wrote: > > > On Mon, Mar 22, 2010 at 2:01 PM, Arnauld wrote: > >> Hi, >> >> It may be obvious but I don't understand what the 'ca/ca_*.pem' and >> the 'certs/ca.pem' files stand for :( >> It sounds a bit 'redundant' to me >> Someone has an explanation ? >> >> > Hi Arnauld, > > Have you seen > http://projects.reductivelabs.com/projects/puppet/wiki/Certificates_And_Security... > it goes into a bit more detail than you would like, perhaps. > > CA means "certificate authority". PEM is a certificate format. > > In short (copying from Dan's notes): > > >1. ca/private/ca.pass - stores the password for the CA's private key. >2. ca/signed/ - directory where all signed certificates are stored, >these are created by puppet --sign (or automatically is auto-signing is >enabled) >3. ca/requests/ - this is where pending requests are stored, they are >removed when puppetca --sign is run >4. ca/ca_key.pem - Private key for the CA (this is what it uses to sign >things?) >5. ca/ca_crl.pem - this the the list of certificates that have been >revoked. >6. ca/ca_crt.pem - this is the self signed certificate for the CA. >7. ca/ca_pub.pem - public key >8. ca/inventory.txt - list of all keys that have been signed. >9. ca/serial - CA's counter that ensures a unique ID for each key. > > > this list is missing the cert that you asked about :) cert/ca.pem - this is the CA's cert that is used to establish trust. As in, I trust people that have been signed by this certificate. This file exists on both the client and server. > Hope that helps! > > --Michael > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] certificates
On Mon, Mar 22, 2010 at 2:01 PM, Arnauld wrote: > Hi, > > It may be obvious but I don't understand what the 'ca/ca_*.pem' and > the 'certs/ca.pem' files stand for :( > It sounds a bit 'redundant' to me > Someone has an explanation ? > > Hi Arnauld, Have you seen http://projects.reductivelabs.com/projects/puppet/wiki/Certificates_And_Security... it goes into a bit more detail than you would like, perhaps. CA means "certificate authority". PEM is a certificate format. In short (copying from Dan's notes): 1. ca/private/ca.pass - stores the password for the CA's private key. 2. ca/signed/ - directory where all signed certificates are stored, these are created by puppet --sign (or automatically is auto-signing is enabled) 3. ca/requests/ - this is where pending requests are stored, they are removed when puppetca --sign is run 4. ca/ca_key.pem - Private key for the CA (this is what it uses to sign things?) 5. ca/ca_crl.pem - this the the list of certificates that have been revoked. 6. ca/ca_crt.pem - this is the self signed certificate for the CA. 7. ca/ca_pub.pem - public key 8. ca/inventory.txt - list of all keys that have been signed. 9. ca/serial - CA's counter that ensures a unique ID for each key. Hope that helps! --Michael -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] certificates
Hi, It may be obvious but I don't understand what the 'ca/ca_*.pem' and the 'certs/ca.pem' files stand for :( It sounds a bit 'redundant' to me Someone has an explanation ? Best regards, -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] certificates for puppetrun
Hi, Can someone please explain how the certificate authentication works for puppetrun? Or point me to a document. thanks, Dan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Certificates were not trusted: certificate verify failed
Hello, We are installing some Xen guests using puppet 0.24.5-1.el5 (from http://people.redhat.com/dlutter/yum/rhel/5/x86_64/) on CentOS 5. The Xen host is also a CentOS 5 running the same version for a puppet master. We have two such identical Xen hosts (running puppet master each). The first one works perfectly for a while and we are not trying to deploy the second one for redundancy. The first Xen guest which tries to use puppet hits this apparently familiar problem. Here is a sample output: Wed Jan 14 11:25:32 +1100 2009 //Node[portal2-prod- ascent.threatmetrix.com]/portal-prod-ascent/portal-ks/common-ks/File[/ etc/ssh/sshd_config] (err): Failed to retrieve current state of resource: Certificates were not trusted: certificate verify failed Could not describe /files/common/sshd_config: Certificates were not trusted: certificate verify failed at /etc/puppet/svn/manifests/common- ks.pp:78 We've been googl'ing this for two days now, we found both old and recent threads about this error as well as the page at http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 but even though we follow all the advise there and see the expected output (the certificate verifies well using "openssl verify ...") we can't convince puppet to accept the certificate. One thing where our output doesn't match the one in the instructions on Wiki page are that the wiki page says: "Look for subject=/C=US/ST=Ohio/O=The Ohio State University/ OU=Department of Mathematics/CN=puppet.math.ohio-state.edu" but I'm not sure whether this is just an example or we should really have this specific CN in the certificate. We receive identical output on the working server. Instead, we have output as follows: # openssl s_client -connect ds502.blueboxgrid.com:8140 CONNECTED(0003) depth=0 /CN=ds502.blueboxgrid.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=ds502.blueboxgrid.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=ds502.blueboxgrid.com i:/CN=ds502.blueboxgrid.com --- Server certificate -BEGIN CERTIFICATE- [deleted] -END CERTIFICATE- subject=/CN=ds502.blueboxgrid.com issuer=/CN=ds502.blueboxgrid.com --- No client certificate CA names sent --- SSL handshake has read 1244 bytes and written 343 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 0F117816A195A5791AC317D30F6489E4874815B83DF734933A2B5B58DB9FC6F5 Session-ID-ctx: Master-Key: E1DF12E889C1D3C5215EF451FD229BC29864666EF247789FE5179758C8018EF84D45AA6B9B552890110765BD71B65E64 Key-Arg : None Krb5 Principal: None Start Time: 1231893176 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- What else can we do? We are stuck in deployment of production system because of this and can't find what makes the first host tick while the second one won't accept anything. I've tried also to completely remove and re-install puppet and puppet- master (and remove the /var/lib/puppet and /etc/puppet directories) but still get the same results. Thanks., --Amos --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Certificates were not trusted Error
Hi, I have a host that's both a puppet client and a puppetmaster. The master part works fine; all clients can connect to it and get their configuration. The client part does not work so well. I remember it used to work but then we had to switch domain names and things went wrong. The setup is something like this: [puppetmaster_A] + client_1 + client_2 + client_3 + client_4 Now client_4 is the 'problem' node, which is also a puppetmaster for several other nodes. The change in domain was for host puppetmaster_A (.com -> .local). The other nodes weren't changed at all and continued to work fine, even though the certificate issued by puppetmaster_A had the old domain name in it. The command i used to check this was: $ openssl x509 -in /var/lib/puppet/ssl/certs/ca.pem -noout -text It shows the .com domain but works fine on all other nodes. On node client_4 though when i start puppetd in no-daemonize mode, i get this error: err: Could not retrieve catalog: Certificates were not trusted: hostname not match with the server certificate I tried deleting the ca.pem but this just results in it being retrieved again from puppetmaster_A. Anyone? :) Sebastian --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---