autosign by hostname not working?
Arnau Bria
till today we had a *.our.doamin in autosign.conf. So any host from
our.domain could get a signed certificate if it contacts our master.
But we've decide to move that "*" to a complet list of hostnames.
So, I've pasted all the names to autosign file, restarted master (not
sure if needed) So far, so good. So, I removed one name from autosign
file, clean its cert, and ran puppet on the host, but it's still able
to contact master and get its catalogue when it's supposed to get any
kind of error.
So, how is it possible? where am I'm missunderstanding autosign
behiavour?
# puppetmasterd --genconfig|grep autosign
# Whether to enable autosign. Valid values are true (which
# autosigns any key request, and is a very bad idea), false (which
# never autosigns any key request), and the path to a file, which
# The default value is '$confdir/autosign.conf'.
autosign = /etc/puppet/autosign.conf
# wc -l /etc/puppet/autosign.conf
660 /etc/puppet/autosign.conf
# grep tditaller027.pic.es /etc/puppet/autosign.conf
#
[root@tditaller027 ~]# puppetd --test --server ser01.pic.es
info: Retrieving plugin
info: Loading facts in odd_ip
info: Loading facts in odd_ip
info: Caching catalog for tditaller027.pic.es
info: Applying configuration version '1305815351'
notice: Finished catalog run in 33.76 seconds
# rpm -qa|grep puppet
puppet-2.6.1-0.6.el5
puppet-server-2.6.1-0.6.el5
same version on client.
TIA,
Arnau
Patrick
On May 19, 2011, at 7:37 AM, Arnau Bria wrote:
> Hi all,
>
> till today we had a *.our.doamin in autosign.conf. So any host from
> our.domain could get a signed certificate if it contacts our master.
> But we've decide to move that "*" to a complet list of hostnames.
>
> So, I've pasted all the names to autosign file, restarted master (not
> sure if needed) So far, so good. So, I removed one name from autosign
> file, clean its cert, and ran puppet on the host, but it's still able
> to contact master and get its catalogue when it's supposed to get any
> kind of error.
>
> So, how is it possible? where am I'm missunderstanding autosign
> behiavour?
1) Are you sure you want this? Sounds like a bad idea.
2) As the documentation you have open shows, you can get the same effect by setting "autosign = true"
3) Try "*.*" instead. I think I remember Puppet won't work with just an asterisk.
Arnau Bria
Patrick Patrick wrote:
Hi Patrick,
Maybe I haven't explained myself correctly.
> 1) Are you sure you want this? Sounds like a bad idea.
I want to restrict puppet service to a list of known hosts. Is this a
bad idea? I don't want all the nodes in our domain to be able to
autosign the certifciate.
> 2) As the documentation you have open shows, you can get the same
> effect by setting "autosign = true"
yep, but I don't want autosign. Iwant to sign certificates as I add
client to puppet master-
> 3) Try "*.*" instead. I think I remember Puppet won't work with just
> an asterisk.
*.my.dmain has woked fine.
Thanks for your reply,
Cheers,
Arnau
Nathan Clemons
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick
On May 19, 2011, at 7:37 AM, Arnau Bria wrote:
Sorry. I ready your whole email backwords. I can only blame being tired.
Did you clean using "puppetca --clean hostname" on the server, by using "rm" on the client, or both?
Are you using Passenger?
Nan Liu
> Hi all,
>
> till today we had a *.our.doamin in autosign.conf. So any host from
> our.domain could get a signed certificate if it contacts our master.
> But we've decide to move that "*" to a complet list of hostnames.
>
> So, I've pasted all the names to autosign file, restarted master (not
> sure if needed) So far, so good. So, I removed one name from autosign
> file, clean its cert, and ran puppet on the host, but it's still able
> to contact master and get its catalogue when it's supposed to get any
> kind of error.
>
> So, how is it possible? where am I'm missunderstanding autosign
> behiavour?
>
Here's a list of things to consider:
Is the certificate revoked in the certificate revocation list? The
current version of puppet cert --clean will revoke then clean, and I'm
not sure the revoke was added in recent versions of puppet.
openssl crl -text -noout -in crl.pem
Does the client certificate serial number match the CRL?
Either review ca/inventory.txt, or perform a puppet cert --print of
the certificate
# puppet cert -p foo
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16 (0x10) (<- This serial should be revoked in CRL)
If you are using apache is it configured to use the CRL? (see passenger docs)
SSLCARevocationFile
SSLVerifyClient
SSLVerifyDepth
If you have multiple puppet masters are you distributing the CRL?
You can test the certificate with openssl:
openssl s_client -host puppet -port 8140 -cert
/path/to/ssl/certs/node.domain.com.pem -key
/path/to/ssl/private_keys/node.domain.com.pem -CAfile
/path/to/ssl/certs/ca.pem
Brice have a detailed blog on more troubleshooting steps:
http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/
Thanks,
Nan
Arnau Bria
Patrick Patrick wrote:
Hi,
> Sorry. I ready your whole email backwords. I can only blame being
> tired.
no problem!
> Did you clean using "puppetca --clean hostname" on the server, by
> using "rm" on the client, or both?
clean on the server.
> Are you using Passenger?
Mongrel....
That was the source of the issue....
I had to restart http/puppetmaster for new autosign to take effect.
Now it works fine. I can block/unblock hosts with autosign.
Thanks!
Cheers,
Arnau
Arnau Bria
Nan Liu wrote:
thanks Nan,
with your help and Patrick's I've understood the problem and solved.
Many thanks for you reply!
Cheers,
Arnau