How to force generation of ca_crl.pem?
1,476 views
Skip to first unread message
Amos Shapira
Jul 4, 2013, 8:37:55 PM7/4/13
to puppet...@googlegroups.com
Hello,
I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu 12.04, running behind Apache.
I'm testing the reprovisioning of the puppet master from scratch in Vagrant and ran into a little snug - apache configuration points to a puppet ca_crl.pem file which doesn't exist, so apache refuses to start.
The puppet master documentation says that it'll automatically generate this file if it isn't present, but I need a way to get it generated automatically before apache tries to start.
All this is done using a master-less puppet configuration used to bootstrap the Vagrant box.
Is there a way for me to trigger automatic generation of the ca_crl.pem file before starting Apache? I tried using generic "openssl ca -gencrl" but failed to find a way to point it to puppet master's "ca/serial" file from the command line.
Thanks,
--Amos
Amos Shapira
Jul 4, 2013, 11:44:31 PM7/4/13
to puppet...@googlegroups.com
BTW - Looking at the source code for Puppet 2.7.22, I see that the method which does all this magic is "setup_ssl" in class Puppet::Applcation::Master.
Now if any ruby guru could help me execute this method from the command line I might be set, so far I failed to make this happen.
Ken Barber
Jul 5, 2013, 8:00:14 AM7/5/13
to Puppet Users
> I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu
> 12.04, running behind Apache.
>
> I'm testing the reprovisioning of the puppet master from scratch in Vagrant
> and ran into a little snug - apache configuration points to a puppet
> ca_crl.pem file which doesn't exist, so apache refuses to start.
Have you tried just using 'puppet cert generate <mymaster_name>' to
> 12.04, running behind Apache.
>
> I'm testing the reprovisioning of the puppet master from scratch in Vagrant
> and ran into a little snug - apache configuration points to a puppet
> ca_crl.pem file which doesn't exist, so apache refuses to start.
populate the initial certificates? I don't have a 2.7.x around, but
for 3.x it repopulates all the missing certificates it seems including
ca_crl.pem.
> The puppet master documentation says that it'll automatically generate this
> file if it isn't present, but I need a way to get it generated automatically
> before apache tries to start.
puppet master --no-daemonize --debug --log console ... or something
will probably do the trick). But the SSL offloading to Apache kind of
breaks this as you've mentioned.
ken.
Ken Barber
Jul 5, 2013, 8:08:37 AM7/5/13
to Puppet Users
If it helps I did a bit of a Gist walkthrough of the full cert
recreation etc. using puppet cert generate here:
https://gist.github.com/kbarber/5934100 ...
recreation etc. using puppet cert generate here:
https://gist.github.com/kbarber/5934100 ...
Amos Shapira
Jul 5, 2013, 11:03:12 PM7/5/13
to puppet...@googlegroups.com
Thanks very much Ken,
I'm away from the comp for the weekend, I'll try these and get back to you as soon as I can.
Amos Shapira
Jul 8, 2013, 10:03:32 PM7/8/13
to puppet...@googlegroups.com
I've verified that the "puppet cert generate.." command generates the files which are required to get the Apache daemon up and running.
Thanks Ken.
Dominique Quatravaux
Apr 30, 2015, 1:41:36 PM4/30/15
to puppet...@googlegroups.com
Le mardi 9 juillet 2013 04:03:32 UTC+2, Amos Shapira a écrit :
I've verified that the "puppet cert generate.." command generates the files which are required to get the Apache daemon up and running.Thanks Ken.
This didn't work for me, however the following did:
puppet cert generate bogusname
puppet cert clean bogusname
Reply all
Reply to author
Forward
0 new messages