bypass or a fixed SSL cert
67 views
Skip to first unread message
nhadie ramos
Mar 17, 2014, 7:59:07 AM3/17/14
to puppet...@googlegroups.com
Im trying vagrant and puppet, i would like to be able to launch an VM on virtualbox then call puppet for installing packages and configuration.
I would be using this for all developers and loaded on their local machine's Virtualbox.
so on vagrant i launch a machine and set hostname to dev.mybox.com
then configure it to connect to my puppetmaster e.g. puppet agent --server puppetmaster.mybox.com --test --verbose
on my puppet master, i added *.mybox.com on autosign.conf.
initial vagrant up works since o cert yet on master for dev.mybox.com. but after i destroy vm and launch again
i see the error:
err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 2B:E9:77:64:B7:B4:98:DD:75:8D:0F:B5:53:ED:3B:46
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean dev.mybox.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/dev.mybox.com.pem
puppet agent -t
is there a way to bypass this or set a fix cert so that i can destroy and launch instance using vagrant without this issue?
any help would be appreciated. thank you.
Regards,
Nhadie
Johan De Wit
Mar 17, 2014, 11:00:20 AM3/17/14
to puppet...@googlegroups.com
Here is my code in the Vagrantfile, where i reuse the certs.
I did generate the certs.
vm_config.vm.provision :puppet_server do |server|
server.puppet_node = 'rspecfc20.koewacht.net'
server.puppet_server = 'puppet.koewacht.net'
server.client_cert_path = 'certs/cert_rspecfc20.koewacht.net.pem'
server.client_private_key_path = 'certs/priv_rspecfc20.koewacht.net.pem'
server.options = '--localcacert=/vagrant/certs/ca.pem'
end
Grts
Jo
I did generate the certs.
vm_config.vm.provision :puppet_server do |server|
server.puppet_node = 'rspecfc20.koewacht.net'
server.puppet_server = 'puppet.koewacht.net'
server.client_cert_path = 'certs/cert_rspecfc20.koewacht.net.pem'
server.client_private_key_path = 'certs/priv_rspecfc20.koewacht.net.pem'
server.options = '--localcacert=/vagrant/certs/ca.pem'
end
Grts
Jo
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/73dc2a83-ed2a-464d-b7e8-d20f3c0f59a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Johan De Wit Open Source Consultant Red Hat Certified Engineer (805008667232363) Puppet Certified Professional 2013 (PCP0000006) _________________________________________________________ Open-Future Phone +32 (0)2/255 70 70 Zavelstraat 72 Fax +32 (0)2/255 70 71 3071 KORTENBERG Mobile +32 (0)474/42 40 73 BELGIUM http://www.open-future.be _________________________________________________________
Upcoming Events:
Puppet Introduction Course | http://www.open-future.be/puppet-introduction-course-14th-april
Puppet Advanced Training | http://www.open-future.be/puppet-advanced-training-15-till-17th-april
Linux Training | https://www.open-future.be/linux-training-5-till-9th-may
Puppet Introduction Course | https://www.open-future.be/puppet-introduction-course-12th-may
Subscribe to our newsletter: http://eepurl.com/BUG8H
Garrett Honeycutt
Mar 17, 2014, 11:45:43 AM3/17/14
to puppet...@googlegroups.com
The issue is that a cert is already present for that host. Johan's solution looks great to get around this by always reusing the same cert, instead of the VM generating a new one each time. Another approach would be to have the agent delete a cert on the CA, so that the auto-signing works. To do this you have to authorize agents to remove certs by adding the following to the puppet master's auth.conf
51 # Allows nodes to clean up certificates of any node. This is being triggered 52 # at provisioning time in kickstart to remove the old certificate, since a new 53 # one is generated when the system is provisioned. 54 path /certificate_status/ 55 auth any 56 method find, save, destroy 57 allow *.example.com,pe-internal-dashboard
The agent would run the following, prior to puppet running
PUPPETCA=puppetca.example.com curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/production/certificate_status/`hostname -f`
http://garretthoneycutt.com/index.php/Puppet#Removing_certs_during_provisioning_process
Best regards,
-g
--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Reply all
Reply to author
Forward
0 new messages