puppetserver autosigned certificate differs puppetmaster autosigned cert

asked 2015-06-17 06:32:30 -0600

tbpuppet gravatar image

updated 2016-09-23 08:06:13 -0600

Hi all,

we tried to migrate form puppet master in apache and rack to java puppetserver, but encountered strange issue.

Existing puppet nodes are working correctly, but newly added nodes fails to connect to puppetserver with ssl error.

I managed to catch some time and create puppet sandbox in vagrant (one puppet master and 2 managed nodes.) and play a little bit with the issue.

Here are all steps I performed to create our own CA and run puppet mater and puppet server:

[root@puppet ~]# service puppetserver stop
[root@puppet ~]# find /var/lib/puppet/ssl -type f -delete
[root@puppet ~]# cd /var/lib/puppet/ssl/ca
[root@puppet ca]# mkdir puppet-ca
[root@puppet ca]# cd puppet-ca

[root@puppet puppet-ca]# keytool -genkeypair -v \
  -alias 'Puppet CA - Sandbox' \
  -dname "emailAddress=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox" \
  -keystore puppet-ca.jks \
  -keypass funnyPass \
  -storepass funnyPass \
  -keyalg RSA \
  -keysize 4096 \
  -ext KeyUsage="keyCertSign,cRLSign" \
  -ext BasicConstraints:"critical=ca:true" \
  -validity 3650

Generating 4,096 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
        for: EMAILADDRESS=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox
[Storing puppet-ca.jks]

[root@puppet puppet-ca]# keytool -importkeystore -srckeystore puppet-ca.jks -destkeystore puppet-ca.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass funnyPass -deststorepass funnyPass -srcalias 'Puppet CA - Sandbox' -destalias 'Puppet CA - Sandbox' -srckeypass funnyPass -destkeypass funnyPass -noprompt

[root@puppet puppet-ca]# openssl pkcs12 -in puppet-ca.p12 -noout -nokeys -out ca_crt.pem
Enter Import Password:
MAC verified OK

[root@puppet puppet-ca]# openssl pkcs12 -in puppet-ca.p12 -noout -nodes -nocerts -out ca_key.pem
Enter Import Password:
MAC verified OK

[root@puppet puppet-ca]# openssl rsa -in ca_key.pem -pubout > ca_pub.pem
writing RSA key

[root@puppet puppet-ca]# cp /etc/pki/tls/openssl.cnf .

[root@puppet puppet-ca]# vim openssl.cnf # Comment out crlnumber and set database = index.txt

[root@puppet puppet-ca]# touch index.txt

[root@puppet puppet-ca]# openssl ca -gencrl -config openssl.cnf -keyfile ca_key.pem -cert ca_crt.pem -out ca_crl.pem
Using configuration from openssl.cnf

[root@puppet puppet-ca]# ls -l
total 40
-rw-r--r-- 1 root root  1052 Sep 23 13:40 ca_crl.pem
-rw-r--r-- 1 root root  2475 Sep 23 13:34 ca_crt.pem
-rw-r--r-- 1 root root  3424 Sep 23 13:33 ca_key.pem
-rw-r--r-- 1 root root   800 Sep 23 13:34 ca_pub.pem
-rw-r--r-- 1 root root     0 Sep 23 13:39 index.txt
-rw-r--r-- 1 root root 10902 Sep 23 13:40 openssl.cnf
-rw-r--r-- 1 root root  4048 Sep 23 13:26 puppet-ca.jks
-rw-r--r-- 1 root root  4422 Sep 23 13:27 puppet-ca.p12

[root@puppet puppet-ca]# cp ca_*.pem ../

[root@puppet puppet-ca]# cd ..

[root@puppet ca]# touch inventory.txt

[root@puppet ca]# echo 256558 > serial.txt

[root@puppet ca]# cp ca_crt.pem ../certs/ca.pem

[root@puppet ca]# cd ..

[root@puppet ssl]# mv ca/puppet-ca /tmp/

[root@puppet ssl]# find . -type f
./ca/ca_pub ...
edit retag flag offensive close merge delete



The `-` character at the beginning of the output from `sudo puppet cert list newnode.company.com` indicates that the certificate has been revoked. Is it possible there's anything running automatically that could be revoking them?

pizzaops gravatar imagepizzaops ( 2015-07-02 18:40:51 -0600 )edit

This issue sounds like it may basically be the same as one I filed here - https://tickets.puppetlabs.com/browse/SERVER-1545. Unfortunately, the last version of Puppet Server, 2.6.0, still has this issue.

camlow325 gravatar imagecamlow325 ( 2016-09-24 10:23:09 -0600 )edit

@camlow325: thanks for pointing me to this link and for trying to prioritize the issue.

tbpuppet gravatar imagetbpuppet ( 2016-09-24 11:51:08 -0600 )edit