1

0 down vote favorite

I am using a multiple puppet master setup with puppet dashboard running on a separate server. I have also configured dashboard to use https running with passenger. I would like to turn puppet dashboard in to an ENC.

I have set the following configuration on each puppet master (excuse the spaces in the link):

node_terminus = exec
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=https:// puppet-dashboard /usr/share/puppet-dashboard/bin/external_node

I have edited the external_node ruby script and specified the https URL for the dashboard, however I am getting this error on the puppet nodes:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Failed when searching for node ukserver0028.domain.net: Failed to find ukserver0028.domain.net via exec: Execution of '/usr/bin/env PUPPET_DASHBOARD_URL=https://puppet-dashboard /usr/share/puppet-dashboard/bin/external_node ukserver0028.domain.net' returned 127:
Error: Could not retrieve catalog; skipping run

selinux is set to permissive

I have run the following command on the puppet master 

/usr/bin/env PUPPET_DASHBOARD_URL=https://puppet-dashboard /usr/share/puppet-dashboard/bin/external_node ukserver0028.domain.net

but I get this error:

/usr/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

This pointed me to the external_node script and the path to the SSL certs

CERT_PATH 
PKEY_PATH 
CA_PATH

I edited the external_node file and pointed to the certs that are used by dashboard SSL, which were created by the rake tool.

$ sudo -u puppet-dashboard rake cert:create_key_pair $ sudo -u puppet-dashboard rake cert:request

I also noted that the common name is actually dashboard, not puppet-dashboard which is my c-name in DNS. I can now run the following command successfully.

/usr/bin/env PUPPET_DASHBOARD_URL=https://dashboard /usr/share/puppet-dashboard/bin/external_node puppet.domain.net

However, if I run the same command using any other node than the puppet master or puppet-dashboard server, I get an SSL error, I suppose as the other puppet nodes in the environment are not aware or the puppet certs created by the rake tool to enable HTTPS on dashboard.

Therefore, what are the certs I should be using in the external_node file?

Further to this, I have a sandpit environment with puppet-dashboard that runs just using http. I have the set up working by specifying the path to the external_node set correctly in puppet.conf and configuring the external_node file to use HTTP. So there is definitely something amiss when using dashboard running on HTTPS.

Many thanks - Oli

Oli
  • 418
  • 3
  • 15

1 Answers1

2

I managed to fix this. Once all the config was correct, things all worked ok.

The main areas were - the externode_node needs to be on all puppet masters and the puppet dashboard server. The cert locations should be the ones that are created by the rake tools when enabling https on dashboard. You can see these in the settings.yml file on the dashboard server. Make sure in the DASHBOARD_URL you are using the common-name in the cert created by the rake tool, in most cases dashboard. You may need to set up a c-name for dashboard or an A-record if you so desire. Make sure the working external_node script is copied to all puppet master servers and is the same. The location I used was /usr/share/puppet-dashboard/bin/external_node. Make sure the URL is https:// dashboard or the cn of the dashboard cert. Otherwise you will get an SSL name does not match certname error

The puppet.conf file on each master has 2 lines to enable the ENC. This is as follows:

node_terminus = exec
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=https:// dashboard/usr/share/puppet-dashboard/bin/external_node

See the dashboard name - that is the same as the CN name in the dashboard cert. Make sure you restart httpd on each puppet master. If you are still reading this, good luck!

Oli
  • 418
  • 3
  • 15