Puppet: System Administration Automated

Support

Ticket #833 (new defect)

Opened 1 year ago

Last modified 9 months ago

puppetmasterd with --servertype mongrel does not generate certificate.

Reported by: dissent Assigned to: community
Priority: normal Milestone: unplanned
Component: executables Version: 0.23.2
Severity: normal Keywords:
Cc: Triage Stage: Accepted
Attached Patches: None Complexity: Easy

Description

I found that when I run puppetmasterd with --servertype mongrel it won't generate a key and certificate. I have also changed the name of the certificate in the puppet.conf file 

  [main]
    # Don't use the domain name in certificate names, so that they are easy to
    # find for Apache httpd.
    certname = puppet

Change History

10/04/07 21:59:52 changed by luke

  • complexity changed from Unknown to Easy.
  • stage changed from Unreviewed to Accepted.
  • milestone set to unplanned.

The fact that mongrel doesn't generate a cert is definitely a bug (although most sites won't hit it because they'll start with webrick and migrate to Mongrel). It's fortunately got an easy workaround, in that you can just start the master once with Webrick, but it's still a bug.

The certname stuff is unrelated to this bug, but... I *highly* recommend you don't do this, because it will make you unable to migrate services. Instead you should use symlinks or something.

11/09/07 07:10:37 changed by jamtur01

Some further data on this I believe. This is from a certificate request from a Fedora 7 host to a 0.23.2 master running Mongrel through Apache with mod_proxy_balancer.

Apache config: 

# Minimal Apache Configuration for Apache+Mongrel+Puppetmaster

Listen 8140
PidFile /var/www/puppet/balancer.pid
User puppet
Group puppet

#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule ssl_module modules/mod_ssl.so
#LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule log_config_module modules/mod_log_config.so

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

<Proxy balancer://debian.lovedthanlost.net>
  BalancerMember http://127.0.0.1:18140
  BalancerMember http://127.0.0.1:18141
</Proxy>

<VirtualHost *:8140>
    SSLEngine on
    SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
    SSLCertificateFile      /var/www/puppet/ssl/certs/debian.lovedthanlost.net.pem
    SSLCertificateKeyFile   /var/www/puppet/ssl/private_keys/debian.lovedthanlost.net.pem
    SSLCertificateChainFile /var/www/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/www/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/www/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars

    # Store the client DN in a header
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    # And store whether the cert verification was a success
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    <Location />
        SetHandler balancer-manager
        Order allow,deny
        Allow from all
    </Location>

    ProxyPass / balancer://debian.lovedthanlost.net:8140/
    ProxyPassReverse / balancer://debian.lovedthanlost.net:8140/
    ProxyPreserveHost on

    ErrorLog  /var/www/puppet/balancer_error.log
    CustomLog /var/www/puppet/balancer_access.log combined
    CustomLog /var/www/puppet/balancer_ssl_request.log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

--verbose output for puppetd: 

err:  Could not request certificate: Certificate retrieval failed: header too long

syslog for masterd: 

Nov 10 03:13:16 debian puppetmasterd[350]: Could not call: header too long

puppetca signing request: 

puppetca --sign fedora.lovedthanlost.net
Could not retrieve request for fedora.lovedthanlost.net: header too long
Could not sign request for fedora.lovedthanlost.net: CA#sign only accepts OpenSSL::X509::Request objects, not NilClass

balancer_ssl_log: 

[10/Nov/2007:03:09:15 +1100] 10.0.10.138 TLSv1 RC4-SHA "POST /RPC2 HTTP/1.1" 195
[10/Nov/2007:03:11:15 +1100] 10.0.10.138 TLSv1 RC4-SHA "POST /RPC2 HTTP/1.1" 195
[10/Nov/2007:03:13:15 +1100] 10.0.10.138 TLSv1 RC4-SHA "POST /RPC2 HTTP/1.1" 255

balancer_access log: 

10.0.10.138 - - [10/Nov/2007:03:09:15 +1100] "POST /RPC2 HTTP/1.1" 200 195 "-" "XMLRPC::Client (Ruby 1.8.6)"
10.0.10.138 - - [10/Nov/2007:03:11:15 +1100] "POST /RPC2 HTTP/1.1" 200 195 "-" "XMLRPC::Client (Ruby 1.8.6)"
10.0.10.138 - - [10/Nov/2007:03:13:15 +1100] "POST /RPC2 HTTP/1.1" 200 255 "-" "XMLRPC::Client (Ruby 1.8.6)"

11/24/07 06:20:56 changed by luke

  • milestone changed from unplanned to misspiggy.

So Apache makes it impossible to even accept certificate requests?

I'll treat this as a valid ticket for now and see if I can add the functionality.

11/28/07 04:44:18 changed by luke

  • owner changed from luke to community.
  • milestone changed from misspiggy to unplanned.

This is going to be annoying to fix, and the workaround is entirely trivial, so I'm delaying this bug.

04/24/08 07:06:34 changed by luke

  • component changed from server to executables.