puppetboard and ssl
1,248 views
Skip to first unread message
Johan De Wit
Feb 8, 2014, 5:35:43 PM2/8/14
to puppet...@googlegroups.com
Hi,
Has anyone configured puppetboard to use SSL to connect to the puppetdb
server ?
puppetboard runs on a dedicated server, puppetdb on my puppetmaster.
Using plain http, on 8080, everything works.
When i configure puppetboard for https, I get always
ERROR:pypuppetdb.api:Could not reach PuppetDB on
puppet.koewacht.net:8081 over HTTPS.
doing the same with pypuppetdb, in a python shell, it works,
as teh apache user, to rule out permission problems.
>>> from pypuppetdb import connect
>>> db = connect(host='puppet.koewacht.net', port=8081,
ssl_key='/etc/puppetboard/pb_priv.pem',
ssl_cert='/etc/puppetboard/pb_pub.pem')
>>> nodes = db.nodes()
>>> for node in nodes:
... print(node)
...
fc19.koewacht.net
laptopfc18.koewacht.net
puppetboard
puppet.koewacht.net
Just looking to see if it is some setting I oversee, or I have to delve
in the code ..
Grts
Johan
--
Johan De Wit
Open Source Consultant
Red Hat Certified Engineer (805008667232363)
Puppet Certified Professional 2013 (PCP0000006)
_________________________________________________________
Open-Future Phone +32 (0)2/255 70 70
Zavelstraat 72 Fax +32 (0)2/255 70 71
3071 KORTENBERG Mobile +32 (0)474/42 40 73
BELGIUM http://www.open-future.be
_________________________________________________________
Next Events:
Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
Puppet Intruction Course | http://www.open-future.be/puppet-introduction-course-7th-february
Zabbix Certified Training | http://www.open-future.be/zabbix-certified-training-10-till-12th-february
Zabbix for Large Environments Training | http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
Subscribe to our newsletter | http://eepurl.com/BUG8H
Has anyone configured puppetboard to use SSL to connect to the puppetdb
server ?
puppetboard runs on a dedicated server, puppetdb on my puppetmaster.
Using plain http, on 8080, everything works.
When i configure puppetboard for https, I get always
ERROR:pypuppetdb.api:Could not reach PuppetDB on
puppet.koewacht.net:8081 over HTTPS.
doing the same with pypuppetdb, in a python shell, it works,
as teh apache user, to rule out permission problems.
>>> from pypuppetdb import connect
>>> db = connect(host='puppet.koewacht.net', port=8081,
ssl_key='/etc/puppetboard/pb_priv.pem',
ssl_cert='/etc/puppetboard/pb_pub.pem')
>>> nodes = db.nodes()
>>> for node in nodes:
... print(node)
...
fc19.koewacht.net
laptopfc18.koewacht.net
puppetboard
puppet.koewacht.net
Just looking to see if it is some setting I oversee, or I have to delve
in the code ..
Grts
Johan
--
Johan De Wit
Open Source Consultant
Red Hat Certified Engineer (805008667232363)
Puppet Certified Professional 2013 (PCP0000006)
_________________________________________________________
Open-Future Phone +32 (0)2/255 70 70
Zavelstraat 72 Fax +32 (0)2/255 70 71
3071 KORTENBERG Mobile +32 (0)474/42 40 73
BELGIUM http://www.open-future.be
_________________________________________________________
Next Events:
Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
Puppet Intruction Course | http://www.open-future.be/puppet-introduction-course-7th-february
Zabbix Certified Training | http://www.open-future.be/zabbix-certified-training-10-till-12th-february
Zabbix for Large Environments Training | http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february
Subscribe to our newsletter | http://eepurl.com/BUG8H
Daniele Sluijters
Feb 10, 2014, 8:34:58 AM2/10/14
to puppet...@googlegroups.com
Hey,
It should work, Puppetboard is supposed to just pass in the settings to pypuppetdb so unless we really screwed up somewhere that shouldn't be the issue.
Can you show me your settings.py file?
--
Daniele Sluijters
Johan De Wit
Feb 10, 2014, 9:48:56 AM2/10/14
to puppet...@googlegroups.com
Hoi Daniele,
/var/www/puppetboard/settings.py
PUPPETDB_HOST = 'puppet.koewacht.net'
PUPPETDB_PORT = 8080
#PUPPETDB_SSL_VERIFY = True
#PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
#PUPPETDB_CERT ='/etc/pupeptboard/pb_pub.pem'
PUPPETDB_TIMEOUT = 20
DEV_LISTEN_HOST = '127.0.0.1'
DEV_LISTEN_PORT = 5000
UNRESPONSIVE_HOURS = 2
ENABLE_QUERY = True
LOGLEVEL = 'info'
ls -l /etc/puppetboard/ssl
[root@centos65 puppetboard]# ls -l /etc/puppetboard/
total 8
-rw-r----- 1 apache apache 3247 Feb 8 12:30 pb_priv.pem
-rw-r----- 1 apache apache 1895 Feb 8 12:31 pb_pub.pem
I assume the pythin code is executed as apache, as given in the vhost definition :
<VirtualHost *:80>
ServerName puppetboard.koewacht.net
WSGIDaemonProcess puppetboard user=apache group=apache threads=5
WSGIScriptAlias / /var/www/puppetboard/wsgi.py
ErrorLog /var/log/httpd/puppetboard.error.log
CustomLog /var/log/httpd/puppetboard.access.log combined
Alias /static /usr/lib/python2.6/site-packages/puppetboard/static
<Directory /usr/lib/python2.6/site-packages/puppetboard>
WSGIProcessGroup puppetboard
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
Thx for puppetboard ..
Johan
/var/www/puppetboard/settings.py
PUPPETDB_HOST = 'puppet.koewacht.net'
PUPPETDB_PORT = 8080
#PUPPETDB_SSL_VERIFY = True
#PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
#PUPPETDB_CERT ='/etc/pupeptboard/pb_pub.pem'
PUPPETDB_TIMEOUT = 20
DEV_LISTEN_HOST = '127.0.0.1'
DEV_LISTEN_PORT = 5000
UNRESPONSIVE_HOURS = 2
ENABLE_QUERY = True
LOGLEVEL = 'info'
ls -l /etc/puppetboard/ssl
[root@centos65 puppetboard]# ls -l /etc/puppetboard/
total 8
-rw-r----- 1 apache apache 3247 Feb 8 12:30 pb_priv.pem
-rw-r----- 1 apache apache 1895 Feb 8 12:31 pb_pub.pem
I assume the pythin code is executed as apache, as given in the vhost definition :
<VirtualHost *:80>
ServerName puppetboard.koewacht.net
WSGIDaemonProcess puppetboard user=apache group=apache threads=5
WSGIScriptAlias / /var/www/puppetboard/wsgi.py
ErrorLog /var/log/httpd/puppetboard.error.log
CustomLog /var/log/httpd/puppetboard.access.log combined
Alias /static /usr/lib/python2.6/site-packages/puppetboard/static
<Directory /usr/lib/python2.6/site-packages/puppetboard>
WSGIProcessGroup puppetboard
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
Thx for puppetboard ..
Johan
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/25d1898e-1f95-4645-95cc-5c503e9c6236%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
-- Johan De Wit Open Source Consultant Red Hat Certified Engineer (805008667232363) Puppet Certified Professional 2013 (PCP0000006) _________________________________________________________ Open-Future Phone +32 (0)2/255 70 70 Zavelstraat 72 Fax +32 (0)2/255 70 71 3071 KORTENBERG Mobile +32 (0)474/42 40 73 BELGIUM http://www.open-future.be _________________________________________________________
Upcoming Events:
Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february
Puppet Introduction Course | http://www.open-future.be/puppet-introduction-course-7th-february
Johan De Wit
Feb 10, 2014, 10:01:39 AM2/10/14
to puppet...@googlegroups.com
Daniele,
I should create an alias pupept=puppet :)
I will test this further this evening, but seems logic the typo did it (well broke it)
I should create an alias pupept=puppet :)
I will test this further this evening, but seems logic the typo did it (well broke it)
Red Hat Certified Engineer /etc/pupeptboard/pb_pub.pem (805008667232363)
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F8E6D8.1050101%40open-future.be.
For more options, visit https://groups.google.com/groups/opt_out.
Johan De Wit
Feb 10, 2014, 2:16:51 PM2/10/14
to puppet...@googlegroups.com
Daniele,
It was not the typo. But it seems the ssl_verify=True did the bad thing.
>>> db = connect(host='puppet.koewacht.net',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=True,timeout=20)
It was not the typo. But it seems the ssl_verify=True did the bad thing.
>>> db = connect(host='puppet.koewacht.net',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=True,timeout=20)
>>> nodes = db.nodes()
>>> for node in nodes:
... print(node)
...
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.6/site-packages/pypuppetdb/api/v3.py", line 55, in nodes
nodes = self._query('nodes', path=name, query=query)
File "/usr/lib/python2.6/site-packages/pypuppetdb/api/__init__.py", line 266, in _query
timeout=self.timeout)
File "/usr/lib/python2.6/site-packages/requests/api.py", line 55, in get
return request('get', url, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 383, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 486, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> db = connect(host='puppet.koewacht.net',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=False,timeout=20)
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.6/site-packages/pypuppetdb/api/v3.py", line 55, in nodes
nodes = self._query('nodes', path=name, query=query)
File "/usr/lib/python2.6/site-packages/pypuppetdb/api/__init__.py", line 266, in _query
timeout=self.timeout)
File "/usr/lib/python2.6/site-packages/requests/api.py", line 55, in get
return request('get', url, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 383, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.6/site-packages/requests/sessions.py", line 486, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.6/site-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> db = connect(host='puppet.koewacht.net',port='8081',ssl_key='/etc/puppetboard/pb_priv.pem',ssl_cert='/etc/puppetboard/pb_pub.pem',api_version=3,ssl_verify=False,timeout=20)
>>> nodes = db.nodes()
>>> for node in nodes:
... print(node)
...
fc19.koewacht.net
laptopfc18.koewacht.net
puppetboard
puppet.koewacht.net
the working config :
PUPPETDB_HOST = 'puppet.koewacht.net'
PUPPETDB_PORT = 8081
PUPPETDB_SSL_VERIFY = False
PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
PUPPETDB_CERT ='/etc/puppetboard/pb_pub.pem'
PUPPETDB_HOST = 'puppet.koewacht.net'
PUPPETDB_PORT = 8081
PUPPETDB_SSL_VERIFY = False
PUPPETDB_KEY = '/etc/puppetboard/pb_priv.pem'
PUPPETDB_CERT ='/etc/puppetboard/pb_pub.pem'
PUPPETDB_TIMEOUT = 20
DEV_LISTEN_HOST = '127.0.0.1'
DEV_LISTEN_PORT = 5000
UNRESPONSIVE_HOURS = 2
ENABLE_QUERY = True
LOGLEVEL = 'debug'
Grts
Johan
Grts
Johan
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F8E9D3.2000706%40open-future.be.
For more options, visit https://groups.google.com/groups/opt_out.
Daniele Sluijters
Feb 10, 2014, 6:15:52 PM2/10/14
to puppet...@googlegroups.com
Hey Johan,
SSL_VERIFY trips up a few people, I need better docs on that.
When you connect to PuppetDB as a client you need to present two things, a private key and a public key signed by the Certificate Authority that also signed the server certificate of PuppetDB. This in all likeliness is your Puppet CA and it looks like you're passing on those certs correctly.
However, since we're connecting over SSL to PuppetDB, PuppetDB itself also presents us with a server certificate, again signed by the Puppet CA. This is what SSL_VERIFY governs, wether we want to verify that the certificate PuppetDB presents us with is signed by a CA we trust.
When SSL_VERIFY is set to True pypuppetdb/Puppetboard will try to use your OS truststore, /etc/ssl/ca-certificates usually, to verify that PuppetDB's server certificate is signed by a CA we know. Since in all likelihood you haven't added your Puppet CA to this truststore verification will fail and this is why you get the error.
You have two choices now, set SSL_VERIFY to False and trust that you're always talking to your actual PuppetDB or copy from the Puppet CA $vardir/ssl/ca_crt.pem to /etc/puppetboard and set SSL_VERIFY to the path of ca_crt.pem. In that case the file SSL_VERIFY points to will be used to verify PuppetDB's server certificate instead of the OS truststore.
I hope this fixes the issue for you.
--
Daniele Sluijters
Johan De Wit
Feb 11, 2014, 3:06:35 AM2/11/14
to puppet...@googlegroups.com
Thanks Daniele,
I really should delve deeper into SSL.
I will try this out today, but I'm confident it will work now, thanks to your good explanation.
Grts
Johan
I really should delve deeper into SSL.
I will try this out today, but I'm confident it will work now, thanks to your good explanation.
Grts
Johan
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/368de200-f8b3-4a44-ac45-5324ef916095%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages