Excellent, Thank you for the help. 

    On Tuesday, November 21, 2017 3:01 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Ok now I am trying to add puppet to my FreeIPA environment.  Following
> the instructions
> from: https://www.freeipa.org/page/Howto/Using_FreeIPA_CA_for_Puppet

Sadly most instructions don't include the versions(s) they were intended
for but Fedora 19 had IPA 3.2.x

> I am getting the following error:
> 
> [root@asm-automation01 ~]# ipa service-add
> puppetmaster/asm-automation01.mgt.asm.borg.local
> ipa: ERROR: Host 'asm-automation01.mgt.asm.borg.local' does not have
> corresponding DNS A/AAAA record
> [root@asm-automation01 ~]# ipa service-add
> puppetmaster/asm-automation01.mgt.asm.borg.local --force
> ipa: ERROR: service with name
> "puppetmaster/asm-automation01.mgt.asm.borg.local@MEYER.LOCAL" already
> exists

Which just means you already created the service.

> [root@asm-automation01 ~]# sudo vi /etc/puppetlabs/puppet/puppet.conf

Uh, ok.

> [root@asm-automation01 ~]# ipa-getcert request -K
> puppetmaster/asm-automation01.mgt.asm.borg.local -d /etc/httpd/alias -n
> puppetmaster/asm-automation01.mgt.asm.borg.local
> Certificate at same location is already used by request with nickname
> "20171116140630".

Again, means you already did it.

> [root@asm-automation01 ~]# puppet master --configprint hostcert
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem
> /etc/puppetlabs/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem
> [root@asm-automation01 ~]# puppet master --configprint hostprivkey
> /var/lib/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem
> /etc/puppetlabs/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem
> [root@asm-automation01 ~]# puppet master --configprint localcacert
> /var/lib/puppet/ssl/certs/ca.pem
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> 
> 
> 
> [root@asm-automation01 ~]# certutil -L -d /etc/pki/nssdb -a -n "IPA
> Machine Certificate - asm-automation01.mgt.asm.borg.local" >
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local
> certutil: Could not find cert: IPA Machine Certificate -
> asm-automation01.mgt.asm.borg.local
> : PR_FILE_NOT_FOUND_ERROR: File not found
> [root@asm-automation01 ~]# puppet master --configprint localcacert
> /var/lib/puppet/ssl/certs/ca.pem
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> [root@asm-automation01 ~]# certutil -L -d /etc/pki/nssdb -a -n "IPA
> Machine Certificate - asm-automation01.mgt.asm.borg.local" >
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local
> certutil: Could not find cert: IPA Machine Certificate -
> asm-automation01.mgt.asm.borg.local
> : PR_FILE_NOT_FOUND_ERROR: File not found
> [root@asm-automation01 ~]#

3.2 still generated a machine cert and this stopped happening early in
the 4.x installs.

The directions are flatly wrong. It first generates a cert stored in
/etc/httpd/alias and then instructs to get the cert of of /etc/pki/nssdb.

If you need a pem cert then get one. Don't mess around with converting
from an NSS database because in 2 years it expire and puppet will blow
up. Use this instead:

# ipa-getcert request -K puppetmaster/puppetmaster.example.com -f
var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem -k
/var/lib/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem


rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to