added puppet CA into the ruby environment
178 views
Skip to first unread message
Keyzer Suze
Nov 10, 2019, 11:12:03 PM11/10/19
to Puppet Users
Hi
I have just installed a new version of puppet (latest) in to centos 8.
when i try and puppet agent --test it fails attempting to connect to puppetdb - unable to verify cert.
if i use wget (after i added the puppet ca into the OS root ca bundle) it works
where or how to i do the same for ruby ?
gramsa49
Nov 11, 2019, 10:06:46 PM11/11/19
to Puppet Users
Check that the cert used by puppetdb matches the puppet ca.
First the Puppet DB:
root@puppettest1:~# openssl s_client -connect puppet:8140
CONNECTED(00000005)
depth=2 CN = Puppet Root CA: ed17137d0debfe
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:CN = puppet.x.org
i:CN = Puppet CA: puppet.x.org
1 s:CN = Puppet CA: puppet.x.org
i:CN = Puppet Root CA: ed17137d0debfe
2 s:CN = Puppet Root CA: ed17137d0debfe
i:CN = Puppet Root CA: ed17137d0debfe
Then the local copy of the Puppet CA cert:
root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem
-rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs/ca.pem
root@puppettest1:~# openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Puppet Root CA: ed17137d0debfe
Validity
Not Before: Oct 17 20:04:48 2019 GMT
Not After : Oct 14 20:04:55 2034 GMT
Subject: CN = Puppet CA: puppet.x.orgI believe that as long as the certificate used by Puppet DB is issued by the Puppet CA, the Puppet Agent will trust the certificate.
Axton
Keyzer Suze
Nov 12, 2019, 6:50:09 PM11/12/19
to puppet...@googlegroups.com
Hi
Did that and mucked around some more and broke it :) so did a yum erase and cleaned out /etc/puppetlabs directory
then reinstalled - got r10k working got yaml working and some other things - packages
then tried puppetdb, but it keeps failing on ssl test - different this time
this is what i get from s_client
---
No client certificate CA names sent
---
SSL handshake has read 2505 bytes and written 337 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573602368
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
No client certificate CA names sent
---
SSL handshake has read 2505 bytes and written 337 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573602368
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
no ciphers !!!
this is my setup
# Configure puppetdb and its underlying database
class { 'puppetdb':
manage_package_repo => false,
manage_dbserver => false,
#ssl_protocols => 'TLSv1.1,TLSv1.2',
ssl_protocols => 'TLSv1.2',
listen_address => '0.0.0.0',
manage_firewall => true,
open_listen_port => true,
open_ssl_listen_port => true,
# disable_ssl => true,
}
# Configure the Puppet master to use puppetdb
class { 'puppetdb::master::config':
# puppetdb_disable_ssl => true,
}
class { 'puppetdb':
manage_package_repo => false,
manage_dbserver => false,
#ssl_protocols => 'TLSv1.1,TLSv1.2',
ssl_protocols => 'TLSv1.2',
listen_address => '0.0.0.0',
manage_firewall => true,
open_listen_port => true,
open_ssl_listen_port => true,
# disable_ssl => true,
}
# Configure the Puppet master to use puppetdb
class { 'puppetdb::master::config':
# puppetdb_disable_ssl => true,
}
this is the telling it I think
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
and this is the jetty.ini
cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
# host = <host>
host = 0.0.0.0
# Port to listen on for clear-text HTTP.
port = 8080
# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.
# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0
# The port to listen on for HTTPS connections
ssl-port = 8081
# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
ssl-protocols = TLSv1.2
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
# host = <host>
host = 0.0.0.0
# Port to listen on for clear-text HTTP.
port = 8080
# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.
# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0
# The port to listen on for HTTPS connections
ssl-port = 8081
# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
ssl-protocols = TLSv1.2
I'm guessing the ciphers are wrong or there is something wrong with the cipher setup ? Maybe It should be a ersa (the certs used for the eliptical ciphers). or maybe dh params are missing ? I'm not sure - i would have thought puppetdb would work out the box !
also I am using
java -version
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)
not jdk8
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com.
gramsa49
Nov 13, 2019, 6:16:37 PM11/13/19
to Puppet Users
This is my puppetdb/jetty configuration:
I used these instructions to install and configure Puppet DB:
I'm running Puppet 6.7:
agrams@puppet:~$ sudo cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
[sudo] password for agrams:
[jetty]
host = localhost
ssl-host = 0.0.0.0
ssl-port = 8081
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
ssl-protocols = TLSv1.2
port = 8080
I used these instructions to install and configure Puppet DB:
I am also using openjdk 11, not java 8, without issue.
agrams@puppet:~$ ps -ef |grep javaagrams 19172 18819 0 18:44 pts/0 00:00:00 grep --color=auto javapuppet 30754 1 0 Oct26 ? 07:31:10 /usr/bin/java -Xms2G -Xmx2G -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/facter.jar:/opt/puppetlabs/server/data/puppetserver/jars/* clojure.main -m puppetlabs.trapperkeeper.main --config /etc/puppetlabs/puppetserver/conf.d --bootstrap-config /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/ --restart-file /opt/puppetlabs/server/data/puppetserver/restartcounterpuppetdb 31910 1 0 Oct18 ? 01:41:06 /usr/bin/java -Xmx192m -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetdb/puppetdb.jar clojure.main -m puppetlabs.puppetdb.cli.services --config /etc/puppetlabs/puppetdb/conf.d --bootstrap-config /etc/puppetlabs/puppetdb/bootstrap.cfg --restart-file /opt/puppetlabs/server/data/puppetdb/restartcounter
agrams@puppet:~$ /usr/bin/java -versionopenjdk version "11.0.4" 2019-07-16OpenJDK Runtime Environment (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3)OpenJDK 64-Bit Server VM (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3, mixed mode, sharing)
I'm running Puppet 6.7:
agrams@puppet:~$ dpkg -l |grep puppet |grep -v foreman
ii puppet-agent 6.10.1-1bionic amd64 The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera.
ii puppet-agent-oauth 0.5.1-2 all OAuth Core Ruby implementation for Puppet Agent
ii puppet-bolt 1.37.0-1bionic amd64 Stand alone task runner
ii puppet6-release 6.0.0-5bionic all Release packages for the Puppet 6 repository
ii puppetdb 6.7.1-1bionic all Puppet Labs puppetdb
ii puppetdb-termini 6.7.1-1bionic all Termini for puppetdb
ii puppetserver 6.7.1-1bionic all Puppet Labs puppetserver
ii ruby-kafo 3.0.0-1 all Ruby gem for making installations based on puppet user friendly
ii ruby-puppet-forge 2.2.9-2 all Access the Puppet Forge API from Ruby
ii ruby-semantic-puppet 1.0.2-1 all Useful tools for working with semantic versions with PuppetIs the s_client output you shared the full output? What parameters did you pass to s_client?
Puppet DB uses the Puppet Agent certificate for authentication. This is how you can authenticate using the cert/key, and trust the Puppet CA.
This is what I would expect to see.
root@puppet:~# openssl s_client -connect puppet.x.org:8081 -cert /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem -key /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem
CONNECTED(00000005)
depth=2 CN = Puppet Root CA: ed17137d0debfe
verify return:1
depth=1 CN = Puppet CA: puppet.x.org
verify return:1
depth=0 CN = puppet.x.org
verify return:1
---
Certificate chain
0 s:CN = puppet.x.org
i:CN = Puppet CA: puppet.x.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFxDCCA6ygAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDDCJQdXBw
...
-----END CERTIFICATE-----
subject=CN = puppet.x.org
issuer=CN = Puppet CA: puppet.x.org
---
Acceptable client certificate CA names
CN = Puppet Root CA: ed17137d0debfe
CN = Puppet CA: puppet.x.org
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2606 bytes and written 5355 bytes
Verification: OK
---
New, TLSv1.2, Cipher is DHE-RSA-AES128-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-SHA256
Session-ID: F1D1F26Dx...
Session-ID-ctx:
Master-Key: F64D39x...
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573606413
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---These are the relevant configs:
root@puppet:~# /opt/puppetlabs/puppet/bin/puppet config print |egrep '(^ca|^cert|\.pem|db|storeconfigs|fore)'
ca_fingerprint =
ca_name = Puppet CA: puppet.x.org
ca_port = 8140
ca_server = puppet.x.org
ca_ttl = 157680000
cacert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
cacrl = /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
cadir = /etc/puppetlabs/puppet/ssl/ca
cakey = /etc/puppetlabs/puppet/ssl/ca/ca_key.pem
capub = /etc/puppetlabs/puppet/ssl/ca/ca_pub.pem
catalog_cache_terminus =
catalog_terminus = compiler
cert_inventory = /etc/puppetlabs/puppet/ssl/ca/inventory.txt
certdir = /etc/puppetlabs/puppet/ssl/certs
certificate_revocation = chain
certname = puppet.x.org
hostcert = /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem
hostcrl = /etc/puppetlabs/puppet/ssl/crl.pem
hostcsr = /etc/puppetlabs/puppet/ssl/csr_puppet.x.org.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem
hostpubkey = /etc/puppetlabs/puppet/ssl/public_keys/puppet.x.org.pem
localcacert = /etc/puppetlabs/puppet/ssl/certs/ca.pem
reports = foreman
storeconfigs = false
storeconfigs_backend = puppetdb
I am using Foreman as well, but merely for viewing agent status, reports, etc.
What does '/opt/puppetlabs/puppet/bin/puppet agent -t --debug' show?
Looking at the Puppet DB access logs, I see the following 2 request/response pairs:
x.x.x.116 - - [12/Nov/2019:19:18:50 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=5&certname=puppettest1.x.org&command=replace_facts&producer-timestamp=2019-11-13T01:18:50.100Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6
x.x.x.116 - - [12/Nov/2019:19:18:51 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=9&certname=puppettest1.x.org&command=replace_catalog&producer-timestamp=2019-11-13T01:18:51.829Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6
The interesting but here is that the ip address of the client in the puppet db log is the puppet master, not the agent.
In my configuration above, i have storeconfigs = false.
Maybe this is a difference.
Axton
To unsubscribe from this group and stop receiving emails from it, send an email to puppet...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages