Can't generate certificate for puppet-dashboard

Question

I can't generate the cert for use with puppet-dashboard. The dashboard is running on the same host as the puppet-master, both of which are running under apache/passenger. The servername is "mon1", but "puppet" and "dashboard" are aliases for this server, and is what the various nodes use.

Versions:

puppet --version
3.2.0-rc1

puppet-dashboard:
1.2.23

The puppet name itself is resolvable:

$ curl -k https://puppet:8140
can't convert nil into String

This is my configuraiton, and below is the error:

# config/settings.yml
cn_name: 'dashboard'
ca_crl_path: 'certs/dashboard.ca_crl.pem'
ca_certificate_path: 'certs/dashboard.ca_cert.pem'
certificate_path: 'certs/dashboard.cert.pem'
private_key_path: 'certs/dashboard.private_key.pem'
public_key_path: 'certs/dashboard.public_key.pem'
ca_server: 'puppet'
ca_port: 8140

# auth.conf
path /facts
auth any
method find, search
allow *

path /inventory
auth any
method find, search
allow *

And the error:

[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:create_key_pair
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:request --trace
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
** Invoke cert:request (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute cert:request
rake aborted!
400 ""
/usr/lib/ruby/1.8/net/http.rb:2105:in `error!'
/usr/share/puppet-dashboard/lib/puppet_https.rb:27:in `put'
/usr/share/puppet-dashboard/lib/tasks/install.rake:50
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `call'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:184:in `invoke_with_call_chain'
/usr/lib/ruby/1.8/monitor.rb:242:in `synchronize'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:177:in `invoke_with_call_chain'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:170:in `invoke'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:143:in `invoke_task'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:110:in `run_with_threads'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:95:in `top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:73:in `run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:in `standard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:70:in `run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/bin/rake:33
/usr/bin/rake:19:in `load'
/usr/bin/rake:19
Tasks: TOP => cert:request

Edit:

It appears something is wrong with my apache vhost. Queries to the inventory service work when running the puppet master as a daemon or locally, but not when hosted by apache. Below is my vhost:

Listen 8140
<VirtualHost *:8140>
    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/mon1.domain.com.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/mon1.domain.com.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    <Directory /usr/share/puppet/rack/puppetmasterd/>
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>
</VirtualHost>

The Passenger related tuning settings are in a different vhost, but I don't believe they are relevant. Could this have something to do with the certificate name being "mon1.domain.com" rather than "puppet.domain.com" ?

This is an example of the access_log:

# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/my.node.com
<LOCALIP> - - [09/May/2013:16:52:40 +1000] "GET /production/facts/my.node.com HTTP/1.1" 400 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

# some node making a request
<REMOTEIP> - - [09/May/2013:16:52:53 +1000] "GET /production/node/some.other.node? HTTP/1.1" 200 3291 "-" "Ruby"

Note that I'm attempting to use curl from the local machine to query the facts and nodes, but that isn't working. The same as what puppet-dashboard is attempting.

Are there any errors logged from the puppet master process when that happens? (you might want to run it with `--no-daemonize --verbose` to get the full error information) — Shane Madden, May 09 '13 at 04:13
@ShaneMadden I stopped apache from running the master and did as you suggested, and it all worked. Must be something wrong with the apache vhost. I'll paste it above as well. — Josh Smeaton, May 09 '13 at 04:57

score 1 · Accepted Answer · edited May 09 '13 at 10:35

1

Very strange that it just worked.. I don't see anything in your Apache config that would cause a 400 response when running under passenger when it's not happening under webrick, but you never know.

Is the puppet master under passenger working ok otherwise?

The next step in figuring out what's wrong would be to enable the --debug line in your config.ru, if you want to keep working on figuring out what happened.. or you can just live with getting the cert requested and signed with the webrick workaround and call it a day.

Make sure the following settings are added to your puppet.conf file:

[master]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

edited May 09 '13 at 10:35

Josh Smeaton

1,330
2
19
31

answered May 09 '13 at 05:52

Shane Madden

112,982
12
174
248

Unfortunately any request to https://puppet:8140/ returns "can't convert nil into String", rendering the inventory service and others useless. Agents are still able to check in and get their catalog, but nothing else is working by requesting the https url. I'll put the debug line in, and go from there. – Josh Smeaton May 09 '13 at 06:47
I'm going to accept this answer with the caveat that apache isn't correctly serving requests for some reason. Running the master under Webrick works fine. I'll investigate this other issue separately, and will provide a write up in a new question. Thanks for the help. – Josh Smeaton May 09 '13 at 07:22
I've updated your answer. SSL settings are required in the master section of the puppet.conf file. I'm excruciatingly angry with puppet documentation right now. – Josh Smeaton May 09 '13 at 08:10
@JoshSmeaton Aha, good catch. Which version are you on? My 3.1 masters are working just fine under passenger with the `X-Client-DN` and `X-Client-Verify` headers (with those puppet.conf options just using defaults) - maybe the defaults for those config values changed? – Shane Madden May 09 '13 at 19:53
Using version 3.2.0-rc1. Just took a look at the source and the defaults are still set correctly: https://github.com/puppetlabs/puppet/blob/master/lib/puppet/defaults.rb but it just would not work without manually configuring those settings. I opened up a pull-request for the documentation to add a section with these values, but I'd be worried if I'm the only one experiencing the problem. – Josh Smeaton May 09 '13 at 22:50

Can't generate certificate for puppet-dashboard

1 Answers1