On Mon, Sep 19, 2011 at 4:56 PM, hamoun <[email protected]> wrote:
> Hi All
>
> Despite several tries I have been unable to setup automatic
> certificate signing for CloudPack.
> This is part of typical output:
>
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> notice: Did not receive certificate
> warning: peer certificate won't be verified in this SSL session
> notice: Did not receive certificate
> ^CCancelling startup
>
> when I run:
> puppet node install ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com --
> login ec2-user --keyfile xxxxx --install-script gems --puppet-version
> 2.7.3 --debug --certname cloudadmin
>
> Although in the master I can see that the certificate is requested by
> client, I couldnt figure out where and how the automatic signing takes
> place. I looked into modules/cloud_provisioner/lib/puppet/cloudpack.rb
> where "install" is handled and thought maybe provisioner pulls cert
> requests and signs them but I could not find any code or log.
>
right now, certificate signing is a step that needs to be performed after
the installation script runs.
The controller node (or the node from which you invoke puppet node) should
be authorized to remotely sign certificates
For this, you need to add the following line to the master's auth.conf
path /certificate_status
method save
auth yes
allow #{controller.to_s}
you also need to ensure that auth is set to any on the following config
sections:
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
Once the controller node has permission to sign certificates, you can run:
puppet certificate sign #{agent_certname} --ca-location remote --mode agent
the bootstrap action should be able to create nodes in ec2, run install and
sign the certs in one action
hope this helps
-Dan
> Thank you
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
"Join us for PuppetConf <http://bit.ly/puppetconfsig>, September 22nd and
23rd in Portland, OR."
<http://bit.ly/puppetconfsig>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
