Ask Your Question
0

Puppet Master creates .$domain.pem certificate?

asked 2014-08-06 21:23:04 -0600

Naftuli Tzvi Kay gravatar image

I generate my own certificates before starting my Puppet Master and Agent like so:

puppet cert generate --path "$PATH" --dns_alt_names "hostname,hostname.domain.com,puppet,puppet.domain.com" hostname.domain.com

This notifies me that the certificate is generated and signed:

Notice: Signed certificate request for ca
Notice: hostname.domain.com has a waiting certificate request
Notice: Signed certificate request for hostname.domain.com
Notice: Removing file Puppet::SSL::CertificateRequest hostname.domain.com at '/var/lib/puppet/ssl/ca/requests/hostname.domain.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest hostname.domain.com at '/var/lib/puppet/ssl/certificate_requests/hostname.domain.com.pem'

I then start my master, and I see the following in the logs:

Aug  7 02:15:17 kungfumaster puppet-master[638]: .domain.com has a waiting certificate request
Aug  7 02:15:17 kungfumaster puppet-master[638]: Signed certificate request for .domain.com
Aug  7 02:15:17 kungfumaster puppet-master[638]: Removing file Puppet::SSL::CertificateRequest .domain.com at '/var/lib/puppet/ssl/ca/requests/.domain.com.pem'
Aug  7 02:15:17 kungfumaster puppet-master[638]: Removing file Puppet::SSL::CertificateRequest .domain.com at '/var/lib/puppet/ssl/certificate_requests/.domain.com.pem'

For some reason, my Puppet Master process is creating and signing a .domain.com certificate and adding that to the certificate authority.

Why is it doing this? Is this normal, expected functionality from the Puppet Master? What is this SSL certificate used for, as it isn't associated with any full domain name?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2014-08-08 16:18:16 -0600

Stefan gravatar image

If you run your puppet master for the first time, the master will assume to be the certificate authority and will first create a self signed CA certificate (which is later transfered to all agents). The master will also create a certificate for itself with the CN set to the fqdn and will then sign that one with the ca certificate.

The name of the masters certificate can be set with the certname setting which defaults to the fqdn fact. The fqdn fact on the other hand is hostname.domainname, so it looks like your master has trouble generating the hostname fact correctly.

There has been a similar issue lately and the reason was a very limited $PATH variable for the user that was running puppet. So please make sure that hostname is in $PATH or set the path configuration setting by hand.

edit flag offensive delete link more

Comments

Specifying `certname` in the Puppet configuration fixes the problem, but I'm [currently looking into fixing the PATH variable for my puppet user](https://unix.stackexchange.com/questions/149935/how-is-path-set-for-users-in-puppet).

Naftuli Tzvi Kay gravatar imageNaftuli Tzvi Kay ( 2014-08-12 14:23:10 -0600 )edit
0

answered 2014-08-12 14:57:40 -0600

Naftuli Tzvi Kay gravatar image

When I did this in my config.ru:

puts "PATH: " + ENV.fetch("PATH", "null")

I got PATH: null as the output: ie, PATH isn't defined when it runs.

My solution was to fix this by adding it to the environment variables:

ENV['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

This fixes both of my problems.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-08-06 21:23:04 -0600

Seen: 513 times

Last updated: Aug 12 '14