Requesting assistance with new install. 90% there, need help on "Testing Simian Auth", last step on the deploying package wiki page

190 views
Skip to first unread message

Victor Moroz

unread,
May 6, 2013, 4:07:45 PM5/6/13
to simian-...@googlegroups.com
Good day all.

I am having, what I think, are certificate location problems on a new install of Simian 2.1.

My setup:

Macbook Pro, running OSX 10.6.8
AppEngine: <sitename>.appspot.com

I have gotten all the way through the various stages of the wiki steps. I have a working website at the AppEngine address. The site accepted my server_private_key_pem, ca_public_cert_pem, & server_public_cert_pem. I can run the "make dmg" script and install the subsequent .dmg file. 

The problem comes when I go to test using the "simianauth --debug" comand. Using that command I get the following output:

$ simianauth --debug
/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/gae_client.zip/google/appengine/tools/dev_appserver_login.py:33: DeprecationWarning: the md5 module is deprecated; use hashlib instead
/usr/local/munki/simian/lib/python2.6/site-packages/tlslite-0.3.8-py2.6.egg/tlslite/utils/cryptomath.py:9: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/gae_client.zip/google/appengine/tools/dev_appserver_login.py:33: DeprecationWarning: the md5 module is deprecated; use hashlib instead
/usr/local/munki/simian/lib/python2.6/site-packages/tlslite-0.3.8-py2.6.egg/tlslite/utils/cryptomath.py:9: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
DEBUG:root:_LoadConfig(): config = {'token_cookie': None, 'report': [], 'token': None, 'write-root-ca-certs': None, 'uploadfile': [], 'debug': '', 'uploadfiletype': None, 'server': None}
DEBUG:root:_LoadConfig(): commands = ['login']
DEBUG:root:SimianClient.__init__(<sitename>.appspot.com [default=True], 443, True)
DEBUG:root:LoadHost(<sitename>.appspot.com, 443)
DEBUG:root:LoadHost(): hostname = <sitename>.appspot.com, port = None, use_https = True
DEBUG:root:_LoadRootCertChain()
DEBUG:root:_Get(root_ca_cert_chain_pem)
DEBUG:root:_GetExternalPem(root_ca_cert_chain_pem)
DEBUG:root:_GetExternalConfiguration(root_ca_cert_chain.pem)
ERROR:root:Configuration not found: root_ca_cert_chain.pem
WARNING:root:Root CA Cert Chain was EMPTY!
DEBUG:root:GetSystemRootCACertChain: Executing ['/usr/bin/security', 'find-certificate', '-a', '-p', '/System/Library/Keychains/SystemRootCertificates.keychain']
DEBUG:root:GetSystemRootCACertChain: returning 275774 bytes
DEBUG:root:_LoadCertSubjectLists()
DEBUG:root:LoadCaParameters
DEBUG:root:_Get(ca_id)
DEBUG:root:_GetExternalValue(ca_id)
DEBUG:root:_GetExternalConfiguration(settings)
DEBUG:root:_Get(ca_public_cert_pem)
DEBUG:root:_GetExternalPem(ca_public_cert_pem)
DEBUG:root:_GetExternalConfiguration(ca_public_cert.pem)
DEBUG:root:_Get(server_public_cert_pem)
DEBUG:root:_GetExternalPem(server_public_cert_pem)
DEBUG:root:_GetExternalConfiguration(server_public_cert.pem)
DEBUG:root:_Get(server_private_key_pem)
DEBUG:root:_GetExternalPem(server_private_key_pem)
DEBUG:root:_GetExternalConfiguration(server_private_key.pem)
ERROR:root:Configuration not found: server_private_key.pem
DEBUG:root:_Get(required_issuer)
DEBUG:root:_GetExternalValue(required_issuer)
DEBUG:root:Loaded ca_params
DEBUG:root:_Get(ca_public_cert_pem)
DEBUG:root:_GetExternalPem(ca_public_cert_pem)
DEBUG:root:_Get(server_public_cert_pem)
DEBUG:root:_GetExternalPem(server_public_cert_pem)
DEBUG:root:_Get(server_private_key_pem)
DEBUG:root:_GetExternalPem(server_private_key_pem)
DEBUG:root:_GetExternalConfiguration(server_private_key.pem)
ERROR:root:Configuration not found: server_private_key.pem
DEBUG:root:_Get(required_issuer)
DEBUG:root:_GetExternalValue(required_issuer)
DEBUG:root:Loaded default_ca_params
DEBUG:root:Running command: "login"
DEBUG:root:SimianAuthCliClient.Login
DEBUG:root:SimianAuthClient._GetPuppetSslDetails
DEBUG:root:GetFacter: facter cache mtime is 2013-05-06 15:48:35
DEBUG:root:GetFacter: reading recent facter cache
DEBUG:root:GetFacter: read 8 entities
DEBUG:root:Certname from facter: "foo-cert-name"
DEBUG:root:_GetPuppetSslDetails(foo-cert-name.pem)
DEBUG:root:_ValidatePuppetSslCert: required_issuer C=US,ST=New York,L=New York,O=Xperteks
DEBUG:root:_ValidatePuppetSslCert: default_required_issuer C=US,ST=New York,L=New York,O=Xperteks
DEBUG:root:_ValidatePuppetSslCert: /etc/simian/ssl/certs/foo-cert-name.pem
DEBUG:root:Skipped cert foo-cert-name.pem, IO Error [Errno 2] No such file or directory: '/etc/simian/ssl/certs/foo-cert-name.pem'
ERROR:root:Failed to harvest Puppet SSL cert facter specified.
DEBUG:root:_GetNewestPuppetSslCert found certs 
INFO:root:Output = {}
DEBUG:root:Could not obtain SSL details
Traceback (most recent call last):
  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/simianauth.py", line 371, in Run
    method()
  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/simianauth.py", line 394, in Login
    token = self.client.GetAuthToken()
  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/client.py", line 1942, in GetAuthToken
    self.DoSimianAuth()
  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/client.py", line 1457, in DoSimianAuth
    self._InitializeAuthClass(interactive_user)
  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.1-py2.6.egg/simian/client/client.py", line 1406, in _InitializeAuthClass
    raise SimianClientError('Could not obtain SSL details')
SimianClientError: Could not obtain SSL details
Error: Could not obtain SSL details

------------------end of error-------------
There are obviously a couple of issues here, but I'm not sure where to start to work the fix. I see the Depreciation errors, but I don't know if thats something to worry about or not as it seems to keep going on to the tests. My main problem is that I don't seem to be providing the correct certificates in the correct locations that the script is testing.

Can anyone out that give me any hints as to where I am going wrong? I have the cert files, and will put them where ever they need to go, but I don't know where that is.

I've read every page of the wiki, and most of the posts in the group here, but if I missed something obvious feel free to let me know.

Thanks in advance.


Justin McWilliams

unread,
May 6, 2013, 4:38:21 PM5/6/13
to simian-...@googlegroups.com
Victor,

Do note that certs are not deployed with the Simian install DMG.  You have to manually deploy certs to your clients.


As long as you've done that, these are the lines you should worry about first:

DEBUG:root:Skipped cert foo-cert-name.pem, IO Error [Errno 2] No such file or directory: '/etc/simian/ssl/certs/foo-cert-name.pem'
ERROR:root:Failed to harvest Puppet SSL cert facter specified.

That cert name is being decided by the output of "simianfacter", which (optionally) executes "facter" and fills in missing data based on configured settings in /etc/simian/settings.cfg

Do any certs exist in /etc/simian/ssl/certs/?  For that path specifically, there should only be one -- the public cert for that unique client.  

- Justin


--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Victor Moroz

unread,
May 6, 2013, 4:47:17 PM5/6/13
to simian-...@googlegroups.com
Justin,

Currently there are no certs in that folder. I re-looked at the SimianAndcertificates page and will make a new client cert and put it in there.

Victor Moroz

unread,
May 14, 2013, 4:20:04 PM5/14/13
to simian-...@googlegroups.com
An update:

When I had a chance to get back to this today I was getting the same errors. I tried making new client certificates and updating the settings in the settings.cfg file to no avail. I was looking at one of the wiki pages and asked a colleague (who knows Macs much better than I) about some shorthand I did not recognize. The line said "PWD/etc/simian/ssl/" and I asked about the PWD part. His answer made me realize that I had been placing the client certs in the wrong folders.

I had been putting them in the /simian-2-1/et/simian/ssl/ path (the folders I downloaded). When I put the certs in the actual /etc/simian/ssl/certs & /private_keys/ paths respectively and ran the simianauth, I get the Auth1Token properly.

Thanks for the help, even though I didn't quite get it the first time through.

Shane Pinnell

unread,
May 15, 2013, 10:38:01 AM5/15/13
to simian-...@googlegroups.com
I believe PWD means the working directory for Simian on the machine you are using to configure and deploy from. In my case, I checked Simian out from SVN to my desktop so my working directory was ~/Desktop/simian-0.8.4.1770/trunk/

The client certificates that you generate need to be placed on the clients at /etc/simian/ssl

Justin McWilliams

unread,
May 15, 2013, 11:01:27 AM5/15/13
to simian-...@googlegroups.com
Right.  The certs needs to be in working dir, where you're building the client and such, in order to pass tests that run before building the DMG.  Then they need to exist in the root /etc/simian/ssl dir for the client to function after install.
Reply all
Reply to author
Forward
0 new messages