Puppet does not connect to ldap at secure port because of ssl certificate signed by cacert.org
Ganesh Sharma
First of all thanks for such a great software and that too for no
cost.
I'm describing the problem below along with my Environment Details:
1. LDAP: openDS
2. Puppet: Version 2.7.3 (Both clients and servers)
3. Certificates being used: Signed by cacert.org
4. Node Definitions: in openDS
5. LDAP(SSL) Port: 1636
6. Puppet Port: 8140
7. Puppet Runs by: Webrick
Problem:
We have lot of servers which we control by puppet and the puppet node
definitions are stored in LDAP.
Everything was going perfect earlier. But for few days I see below
error:
-------
warning: Retrying LDAP connection
err: Failed when searching for node xxxxx.domain.com : LDAP Search
failed
-------
This error is for all the nodes. The server runs perfectly at port
1389 which is non-ssl port.
Solutions Applied:
1. Installed cacert's root certificate ca-bundle.crt in /etc/pki/tls/
certs/ at puppet server.
2. Tried to run the server at 1389 and still running it. But we fear
due to security reasons.
3. Tried to install the cacert in openssl way i.e created soft link of
server to `hash of ca-bundle.crt`.0, but that too did not work.
Any help provided will be highly appreciated. Since this is my first
post, please ignore my errors, but do let me know. And also, before
posting this, I searched this group for any possible solutions, but
did not find any.
---
Thanks
Ganesh
Denmat
I don't use ldap myself so I may be of limited value.
First it would also useful to confirm that ldap works as expected over ssl by performing a ldapsearch -vx -ZZ <whatever you need to test your search> from your puppetmaster using the credentials you need.
It would also be good to see the puppet.conf you are using that shows your ldap settings. I do notice you're using non standard ldaps port.
Cheers,
Den
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Ganesh Sharma
Yes search works perfectly. I tried it multiple times and it still
works.
It works at non-ssl port as well.
So far as non-standard port is concerned, openDS LDAP uses 1636 port
as standard.
Moreover it had been working in past at port 1636.
Here is the puppet.conf file in use:
At present ssl settings are commented out.
===================================================================================
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
node_terminus = ldap
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppet-server.domain.com
report = false
runinterval = 30
[master]
node_terminus = ldap
ldapssl = false
#ldapssl = true
ldapserver = ldap-server.domain.com
ldapbase = ou=appliances,o=gluu
#ldapport = 1636
ldapport = 1389
ldapuser = cn=directory manager
ldappassword = ********
===================================================================================
On Nov 26, 2:22 am, Denmat <tu2bg...@gmail.com> wrote:
> Hi,
>
> I don't use ldap myself so I may be of limited value.
>
> First it would also useful to confirm that ldap works as expected over ssl by performing a ldapsearch -vx -ZZ <whatever you need to test your search> from your puppetmaster using the credentials you need.
>
> It would also be good to see the puppet.conf you are using that shows your ldap settings. I do notice you're using non standard ldaps port.
>
> Cheers,
> Den
>
Ganesh Sharma
How can puppet trust the certificate presented by my ldap server which
is signed by cacerts.org?
If I am able to do that somehow, my problem can be resolved.
Any ideas?
Denmat
Can you provide any debug information? If you say it was working, can you think of any change that might have contributed?
The only other thing I can think of without looking at the code would be to append the cacert.org ca to the puppet ca and see if that helps. Logs on LDAP might also point to clue.
Den
Ganesh Sharma
Sure I can provide the debug information as well, though I could see
nothing much.
I concatenated cacert's root.crt and class3.crt to /var/lib/puppet/ssl/
ca/ca_crt.pem.
That did not help me.
In the next post I provide my debug information i.e the output of:
puppetmasterd --no-daemonize --verbose --debug
Kindly let me know if you want to see the output of any other commands
as well.
I'll provide those too.
---
Thanks
Ganesh
On Nov 29, 2:51 am, Denmat <tu2bg...@gmail.com> wrote:
> Hi,
>
> Can you provide any debug information? If you say it was working, can you think of any change that might have contributed?
>
> The only other thing I can think of without looking at the code would be to append the cacert.org ca to thepuppetca and see if that helps. Logs onLDAPmight also point to clue.
>
> Den
>
> On 29/11/2011, at 6:31, Ganesh Sharma <worldiswelc...@gmail.com> wrote:
>
> > Let me ask my question more specifically:
>
> > How canpuppettrustthe certificate presented by myldapserver which
> > is signed by cacerts.org?
> > If I am able to do that somehow, my problem can be resolved.
> > Any ideas?
>
> > On Nov 29, 12:29 am, Ganesh Sharma <worldiswelc...@gmail.com> wrote:
> >> Thanks Den for your reply.
>
> >> Yes search works perfectly. I tried it multiple times and it still
> >> works.
> >> It works at non-ssl port as well.
>
> >> So far as non-standard port is concerned, openDSLDAPuses 1636 port
> >> as standard.
> >> Moreover it had been working in past at port 1636.
>
> >> Here is thepuppet.conf file in use:
> >> At present ssl settings are commented out.
> >> ===================================================================================
> >> [main]
> >> # ThePuppetlog directory.
> >> # The default value is '$vardir/log'.
> >> logdir = /var/log/puppet
>
> >> # WherePuppetPID files are kept.
> >>> I don't useldapmyself so I may be of limited value.
>
> >>> First it would also useful to confirm thatldapworks as expected over ssl by performing a ldapsearch -vx -ZZ <whatever you need to test your search> from your puppetmaster using the credentials you need.
>
> >>> It would also be good to see thepuppet.conf you are using that shows yourldapsettings. I do notice you're using non standard ldaps port.
>
> >>> Cheers,
> >>> Den
>
> >>> On 26/11/2011, at 7:24, Ganesh Sharma <worldiswelc...@gmail.com> wrote:
>
> >>>> Hello,
>
> >>>> First of all thanks for such a great software and that too for no
> >>>> cost.
> >>>> I'm describing the problem below along with my Environment Details:
> >>>> 1.LDAP: openDS
> >>>> 2.Puppet: Version 2.7.3 (Both clients and servers)
> >>>> 3. Certificates being used: Signed by cacert.org
> >>>> 4. Node Definitions: in openDS
> >>>> 5.LDAP(SSL) Port: 1636
> >>>> 6.PuppetPort: 8140
> >>>> 7.PuppetRuns by: Webrick
> >>>> You received this message because you are subscribed to the Google Groups "PuppetUsers" group.
> >>>> To post to this group, send email topuppe...@googlegroups.com.
> >>>> To unsubscribe from this group, send email topuppet-user...@googlegroups.com.
> >>>> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups "PuppetUsers" group.
> > To post to this group, send email topuppe...@googlegroups.com.
> > To unsubscribe from this group, send email topuppet-user...@googlegroups.com.
Ganesh Sharma
All started working again.
But after about 18-20 hours, it again stopped working.
We are now using puppet behind passenger and Apache:
Details are as below:
1. Puppet: 2.6.9
2. Rack: 1.2.2
3. Passenger: 3.0.7
4. OS: CentOS 6
Before it stopped working at port 1636, all was perfect after I had
upgraded puppet at 2.7.9 version.
The other important point is: This Was A Fresh Server.
---
Thanks
Ganesh
Ganesh Sharma
So, details are:
1. Puppet: 2.7.9
2. Rack: 1.2.2
3. Passenger: 3.0.7
4. OS: CentOS 6