Puppet Open Source with own Certificates
75 views
Skip to first unread message
hoize
Mar 5, 2015, 7:24:34 PM3/5/15
to puppet...@googlegroups.com
Hello!
Because I can't find anything with google search to my problem with Puppet Open Source, I hope someone of you can help me.
On my masterserver there I have installed Foreman running on Apache and Puppet Master.
I wanted to replace the certificates of Apache with own certificates to eradicate problems with the Browser (Certificate Trust).
But then I got another problem: The nodes could not communicate with the Master.
So I decided to replace all certs with own certs, on the nodes and on the master.
But how could I do this?
I hope you can help me. At PuppetLabs-Docs I only found the configuration for Puppet Enterprise for my issue.
Thank You!
Greets Manuel Holzner
Because I can't find anything with google search to my problem with Puppet Open Source, I hope someone of you can help me.
On my masterserver there I have installed Foreman running on Apache and Puppet Master.
I wanted to replace the certificates of Apache with own certificates to eradicate problems with the Browser (Certificate Trust).
But then I got another problem: The nodes could not communicate with the Master.
So I decided to replace all certs with own certs, on the nodes and on the master.
But how could I do this?
I hope you can help me. At PuppetLabs-Docs I only found the configuration for Puppet Enterprise for my issue.
Thank You!
Greets Manuel Holzner
Felix Frank
Mar 6, 2015, 9:16:30 AM3/6/15
to puppet...@googlegroups.com
On 03/05/2015 08:33 AM, hoize wrote:
>
> I hope you can help me. At PuppetLabs-Docs I only found the
> configuration for Puppet Enterprise for my issue.
Hi,
>
> I hope you can help me. At PuppetLabs-Docs I only found the
> configuration for Puppet Enterprise for my issue.
apart from some path names, it should be applicable to open source puppet.
Can you link the specific howto you are following, and indicate where
you stumbled?
Thanks,
Felix
hoize
Mar 16, 2015, 4:37:50 AM3/16/15
to puppet...@googlegroups.com
Hi,
Sorry I havn't been at work the last week.
Thank you very much for your answer.
At the moment I have installed the puppet own certs on my master.
Did you replace the certs? If yes, could you give me a short introduction, please?
Thank You!
Hoize
Sorry I havn't been at work the last week.
Thank you very much for your answer.
At the moment I have installed the puppet own certs on my master.
Did you replace the certs? If yes, could you give me a short introduction, please?
Thank You!
Hoize
Rilindo Foster
Mar 16, 2015, 10:15:28 AM3/16/15
to puppet...@googlegroups.com
Hi Hoize,
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0f8d8e8d-6d72-4065-9325-8d9630a472af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rilindo Foster
Mar 16, 2015, 10:15:42 AM3/16/15
to puppet...@googlegroups.com
Hi Hoize,
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
On 03/05/2015 01:33 AM, hoize wrote:
hoize
Mar 16, 2015, 10:51:45 AM3/16/15
to puppet...@googlegroups.com
Hi!
I took the foreman-installer, which installed PuppetMaster, Apache2, MySQL,...
I took the foreman-installer, which installed PuppetMaster, Apache2, MySQL,...
Yes, the certificates are used by puppet and by foreman..
But even if I only change the paths of the SSL-Engine in the Apache2 sites-config to my own certificates, the web-browser works fine, butt puppet can't communicate with the nodes..
Thank You!
Hoize
Hoize
Rilindo Foster
Mar 16, 2015, 2:02:20 PM3/16/15
to puppet...@googlegroups.com
Hi Hoize,
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
To clarify, did you put Foreman on top of your existing Puppet infrastructure or did you use the Puppet Master that Foreman installed? It would make sense if it were the latter, because Foreman re-uses Puppet's certificates for its own SSL setup. That, in turn, would explain why the nodes stopped communicating with the master as it looks like you may have overwrote Puppet's certificates with your own.
- Rilindo
On 03/05/2015 01:33 AM, hoize wrote:
hoize
Mar 18, 2015, 8:47:48 AM3/18/15
to puppet...@googlegroups.com
Hi!
After a few hours of trial and error my problem is solved.
After a few hours of trial and error my problem is solved.
Here is the Solution:
/etc/apache2/sites-enabled/02-foreman.conf:
....
SSLEngine on
SSLCertificateFile #Here you have to use
SSLCertificateKeyFile #your own signed certificate + key
SSLCertificateKeyFile #your own signed certificate + key
....
/etc/puppet/foreman.yaml:
/etc/puppet/foreman.yaml:
...
:ssl_ca: # Here you have to use the cert of your CA (which created your Certificate for your Webserver)
...
:ssl_ca: # Here you have to use the cert of your CA (which created your Certificate for your Webserver)
...
The other certificates are self-signed certs from puppet.
So my Browser-SSL-Failure is fixed and the nodes (puppet agents) get the certs signed from puppetmaster.
So my Browser-SSL-Failure is fixed and the nodes (puppet agents) get the certs signed from puppetmaster.
Thank You!
Hoize
Hoize
Reply all
Reply to author
Forward
0 new messages