[Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Thu, 19 Aug 2010 11:42:16 -0700 

Hi Experts,

I'm trying to generate my own certificates (all of them, including certs for
CA, server and client) for puppet to use.

and I'm getting "Could not run: Could not retrieve certificate for puppetsrv
and not running on a valid certificate authority"

Just wondering what the problem could be?

What I did is:

1. generate a self signed CA cert, and save the files to ca.crt, ca.prk,
ca.puk, ca.pass.
2. generate a keypair, request, then sign with the above CA and save the
files ssldir/public_keys/puppetsrv.pem, ssldir/private_keys/puppetsrv.pem,
ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
(All certs work fine with openssl verify)
3. Puppet configuration file:
    ca = false
    cakey=$ssldir/ca.prk
    passfile=$ssldir/ca.pass
    cacert=$ssldir/ca.crt
    capub=$ssldir/ca.puk
4. run puppet master:
/usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
puppetsrv

Full log (added some breakpoints and printed some tracebacks):
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Failed to load library 'ldap' for feature 'ldap'
debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]: Autorequiring
File[/opt/cloudcrv/varpuppet/run]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl/certs]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: Autorequiring
File[/opt/cloudcrv/varpuppet/log]
debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode changed
'755' to '750'
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
debug: Finishing transaction 70044884792200 with 2 changes
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
/usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) p Certificate.find("puppetsrv")
#<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv",
@content=#<OpenSSL::X509::Certificate
subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
(rdb:1) p Certificate.find("ca")
nil
(rdb:1) c
info: Creating a new SSL key for puppetsrv
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
/usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate'
/usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'
/usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) p Certificate.find("ca")
nil
(rdb:1) p Certificate.find("puppetsrv")
#<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv",
@content=#<OpenSSL::X509::Certificate
subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
(rdb:1) p key
#<Puppet::SSL::Key:0x7f6930ce5810
@password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass", @name="puppetsrv",
@content=-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec=
-----END RSA PRIVATE KEY-----
>
(rdb:1) c
CertificateAuthority.ca =
notice: Starting Puppet server version 0.25.4
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in `setup_ssl'
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate'
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in `setup_ssl'
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) c
Could not run: Could not retrieve certificate for puppetsrv and not running
on a valid certificate authority

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to