I can't generate the cert for use with puppet-dashboard. The dashboard is running on the same host as the puppet-master, both of which are running under apache/passenger. The servername is "mon1", but "puppet" and "dashboard" are aliases for this server, and is what the various nodes use.
Versions:
puppet --version
3.2.0-rc1
puppet-dashboard:
1.2.23
The puppet name itself is resolvable:
$ curl -k https://puppet:8140
can't convert nil into String
This is my configuraiton, and below is the error:
# config/settings.yml
cn_name: 'dashboard'
ca_crl_path: 'certs/dashboard.ca_crl.pem'
ca_certificate_path: 'certs/dashboard.ca_cert.pem'
certificate_path: 'certs/dashboard.cert.pem'
private_key_path: 'certs/dashboard.private_key.pem'
public_key_path: 'certs/dashboard.public_key.pem'
ca_server: 'puppet'
ca_port: 8140
# auth.conf
path /facts
auth any
method find, search
allow *
path /inventory
auth any
method find, search
allow *
And the error:
[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:create_key_pair
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:request --trace
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
** Invoke cert:request (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute cert:request
rake aborted!
400 ""
/usr/lib/ruby/1.8/net/http.rb:2105:in `error!'
/usr/share/puppet-dashboard/lib/puppet_https.rb:27:in `put'
/usr/share/puppet-dashboard/lib/tasks/install.rake:50
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `call'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:184:in `invoke_with_call_chain'
/usr/lib/ruby/1.8/monitor.rb:242:in `synchronize'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:177:in `invoke_with_call_chain'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:170:in `invoke'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:143:in `invoke_task'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:110:in `run_with_threads'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:95:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:73:in `run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:in `standard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:70:in `run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/bin/rake:33
/usr/bin/rake:19:in `load'
/usr/bin/rake:19
Tasks: TOP => cert:request
Edit:
It appears something is wrong with my apache vhost. Queries to the inventory service work when running the puppet master as a daemon or locally, but not when hosted by apache. Below is my vhost:
Listen 8140
<VirtualHost *:8140>
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/mon1.domain.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/mon1.domain.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>
The Passenger related tuning settings are in a different vhost, but I don't believe they are relevant. Could this have something to do with the certificate name being "mon1.domain.com" rather than "puppet.domain.com" ?
This is an example of the access_log:
# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/my.node.com
<LOCALIP> - - [09/May/2013:16:52:40 +1000] "GET /production/facts/my.node.com HTTP/1.1" 400 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
# some node making a request
<REMOTEIP> - - [09/May/2013:16:52:53 +1000] "GET /production/node/some.other.node? HTTP/1.1" 200 3291 "-" "Ruby"
Note that I'm attempting to use curl from the local machine to query the facts and nodes, but that isn't working. The same as what puppet-dashboard is attempting.
Best Answer
Very strange that it just worked.. I don't see anything in your Apache config that would cause a 400 response when running under passenger when it's not happening under webrick, but you never know.
Is the puppet master under passenger working ok otherwise?
The next step in figuring out what's wrong would be to enable the
--debugline in yourconfig.ru, if you want to keep working on figuring out what happened.. or you can just live with getting the cert requested and signed with the webrick workaround and call it a day.Make sure the following settings are added to your puppet.conf file: