Corrupted inventory.txt - how to rebuild?
Sean Carolan
"0x0000" in the inventory.txt file. This causes major problems
including SSL cert errors in the log file. Anyone know how to
properly rebuild inventory.txt without tearing everything out and
starting from scratch?
Nan Liu
0x0000 is typically the CA cert, was the inventory.txt file blank when
this occurred? If you have all the certificates, you can use puppet
cert -pa and extract the serial number, date, and CN info. I'm not
sure if there's an automated way using openssl commands. This might be
reasonably close (output should be sorted by serial number):
require 'puppet'
require 'openssl'
Dir.glob("#{Puppet[:ssldir]}/ca/signed/*.pem") do |certfile|
cert = OpenSSL::X509::Certificate.new(File.read(certfile))
puts ("0x%04x" % cert.serial + "
#{cert.not_before.strftime('%Y-%m-%dT%H:%M:%SUTC')}
#{cert.not_after.strftime('%Y-%m-%dT%H:%M:%SUTC')} #{cert.subject}")
end
Thanks,
Nan
Sean Carolan
> this occurred? If you have all the certificates, you can use puppet
> cert -pa and extract the serial number, date, and CN info. I'm not
> sure if there's an automated way using openssl commands. This might be
> reasonably close (output should be sorted by serial number):
Here's the problem as I understand it. We have several puppetmaster
servers, due to the large number of clients and networks that need to
be supported. We synchronize SSL certs between load balanced hosts
using rsync. Somehow or other we occasionally end up getting a host
in the inventory.txt file with 0x0000 serial number. Unfortunately
this seems to reset the counter and new hosts will end up with
duplicate serials to other hosts previously listed in the file.
How do you all handle load balancing and certificate management? Is
there a way to have a master authority cert server, that all the other
nodes turn to for all things SSL?
Luke Bigum
Previously I've set up a cluster of Puppet Masters with one machine
acting as the software load balancer (IPVS) as well as the Puppet
Certificate Authority. The relevant puppet.conf options are ca_port
and ca_server to specify where your CA is. The Puppet Master service
on the CA server listened on the ca_port and signed CA requests. The
default puppet port 8140 was load balanced to a pool of "slave" Puppet
Masters and these masters all NFS mounted the ssl/ca/ directory so
they knew about all signed puppet agents. You could then go even
further and make your CA server resilient with Pacemaker / Heartbeat
or other HA techniques. I didn't bother to go that far though ;)
Hope that helps,
-Luke
Luke Bigum
Apache that's floating around on the list, configs and all. Was a few
months ago now if you want to go searching.
Scott Smith
You guys do realize that it's not necessary to share node certs with puppetmasters if your CA is separated, right?
It's signed for a reason :)
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>