To resolve dns, I put host information on each nodes including master.
First of all, master.
#Puppet node(client) search for first puppet.hostname.com and if that is not exist then search puppet.
#It is a must to set puppet hostname or alias to puppetmaster.
#So edit /etc/hosts file should be correct to operate puppet system correctly.
root@puppetmaster:~# vi /etc/hosts
#puppet nodes first search domain puppet if not resolved by
10.1.0.2 puppetmaster puppet
10.1.0.3 puppetclient1
10.1.0.4 puppetclient2
#Above configuration is saying that now puppet architecture is puppetmaster(puppet) and 2 nodes(client).
#Next we must tell dns_alt_names to puppet master.
root@puppetmaster:~# vi /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
dns_alt_names = puppet,puppetclient1,puppetclient2
environment_timeout=unlimited
#On production server, recommended configuration is as follows.
#From puppetlabs.com. For the purpose of reference.
[main]
certname = puppetmaster01.example.com
server = puppet
environment = production
runinterval = 1h
strict_variables = true
trusted
[master]
dns_alt_names = puppetmaster01,puppetmaster01.example.com,puppet,puppet.example.com
reports = puppetdb
storeconfigs_backend = puppetdb
storeconfigs = true
environment_timeout = unlimited
#puppet master receving request via 8140 port. There is also 443 port and 80 port is on.
#Later , when puppet is stablized, we better check these open port is necessary or not.
root@puppetmaster:~# netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1697/sshd
tcp6 0 0 :::22 :::* LISTEN 1697/sshd
tcp6 0 0 :::443 :::* LISTEN 4569/apache2
tcp6 0 0 :::8140 :::* LISTEN 4569/apache2
tcp6 0 0 :::80 :::* LISTEN 4569/apache2
#I install puppetmaster as apache passenger mode. So, starting apache2 server is a must.
root@puppetmaster:~# service apache2 stop
* Stopping web server apache2 *
###Creating puppet master certificate and MASTER CA certificate###
vagrant@puppetmaster:~$ sudo puppet master --verbose --no-daemonize
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Starting Puppet master version 3.8.1
^CNotice: Caught INT; storing stop
Notice: Processing stop
###Network check from puppetclient1 ####
root@puppetclient1:~# telnet puppet 8140
Trying 10.1.0.2...
Connected to 10.1.0.2.
Escape character is '^]'.
vagrant@puppetmaster:~$ netstat -tpln
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::8140 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
vagrant@puppetclient1:~$ cat /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
### puppet client setting ###
vagrant@puppetclient1:~$ sudo vi /etc/hosts
127.0.0.1 localhost
127.0.1.1 puppetclient1 puppetclient1
10.1.0.2 puppetmaster puppet
10.1.0.3 puppetclient1
### puppet version check ###
vagrant@puppetclient1:~$ puppet --version
3.8.1
vagrant@puppetclient1:~$
# puppetclient1 node new key generating
root@puppetclient1:~# puppet agent --test
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient1.bla
Info: Certificate Request fingerprint (SHA256): C4:A0:CE:12:D4:4F:42:3C:44:DA:4A:0A:6C:82:DC:3A:2E:B1:7F:1D:CC:61:3B:6B:10:15:77:33:EE:3B:21:8F
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
#Info: Creating a new SSL certificate request for puppetclient1.bla domain name is not the intended domanin name.
#I had to remove bla from /etc/resolv.conf.
#To restart puppet agent --test, remove or backup /var/lib/puppet/ssl.
root@puppetclient1:~# rm -rf /var/lib/puppet/ssl/
root@puppetclient1:~# puppet agent --test
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Info: Creating a new SSL key for puppetclient1.tbroad
Info: Caching certificate for ca
Info: Caching certificate_request for puppetclient1.tbroad
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@puppetclient1:~# vi /etc/hosts
root@puppetclient1:~# ls /var/lib/puppet/ssl/
certificate_requests certs private private_keys public_keys
#It is ok...
#From master(puppetmaster) node
root@puppetmaster:~# puppet cert --list
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
"puppetclient1" (SHA256) C4:A0:CE:12:D4:4F:42:3C:44:DA:4A:0A:6C:82:DC:3A:2E:B1:7F:1D:CC:61:3B:6B:10:15:77:33:EE:3B:21:8F
#Let's suppress warning
root@puppetmaster:~#
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
dns_alt_names = puppet,puppetclient1,puppetclient2
environment_timeout=unlimited
#Cleaning ssl request from master.
root@puppetmaster:~# rm -rf /var/lib/puppet/ssl/
root@puppetmaster:~# puppet cert --list
Notice: Signed certificate request for ca
#Puppet master is using passenger in apache virtual hosts file.
#When there is error message, we must check like belows if certificate file name right or not.
root@puppetmaster:/etc/init.d# vi /etc/apache2/sites-available/puppetmaster.conf
root@puppetmaster:/etc/init.d# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 23 of /etc/apache2/sites-enabled/puppetmaster.conf:
SSLCertificateFile: file '/var/lib/puppet/ssl/certs/puppetmaster' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.
root@puppetmaster:/etc/init.d#
root@puppetmaster:/etc/init.d# service apache2 restart
* Restarting web server apache2 [ OK ]
root@puppetmaster:/etc/init.d# suppressing * Restarting web server apache2 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
>
> ^C
root@puppetmaster:/etc/init.d#
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
ServerName puppetmaster
#Now there is no certificate request from nodes(clients?)
root@puppetmaster:/etc/init.d# puppet cert --list
root@puppetmaster:/etc/init.d#
#Again, generting agent certificate request
root@puppetclient1:~# puppet agent --test
Info: Creating a new SSL key for puppetclient1
Info: Caching certificate for ca
Info: Caching certificate_request for puppetclient1
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@puppetclient1:~#
root@puppetmaster:/etc/init.d# puppet cert --list
"puppetclient1" (SHA256) 12:3C:60:26:53:B0:7A:76:48:F8:97:31:28:36:3A:64:36:72:E7:B7:3E:6B:ED:65:0F:56:15:15:FE:3D:A8:AD
root@puppetmaster:/etc/init.d#
#Sign up nodes(puppetclient1) request.
root@puppetmaster:/etc/init.d# puppet cert sign puppetclient1
Notice: Signed certificate request for puppetclient1
Notice: Removing file Puppet::SSL::CertificateRequest puppetclient1 at '/var/lib/puppet/ssl/ca/requests/puppetclient1.pem'
root@puppetmaster:/etc/init.d#
#No error..relax.
***When regenerating puppetmaster certificate***
#There shall be a situation when we need to reset whole puppet configuration.#
#Need to be prepared.
#ssl is exist in default location: /var/lib/puppet/ssl.
root@puppetmaster:/etc/apache2# ls /var/lib/puppet/ssl/
ca certificate_requests certs crl.pem private private_keys public_keys
#If remove or rename apache2 passenger startup will be failed.
root@puppetmaster:/etc/apache2# mv /var/lib/puppet/ssl/ /var/lib/puppet/ssl.bak/
root@puppetmaster:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 23 of /etc/apache2/sites-enabled/puppetmaster.conf:
SSLCertificateFile: file '/var/lib/puppet/ssl/certs/puppetmaster.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.
#It is time to generate puppetmaster certificate file.
root@puppetmaster:/etc/apache2# puppet cert generate puppetmaster
Notice: Signed certificate request for ca
Notice: puppetmaster has a waiting certificate request
Notice: Signed certificate request for puppetmaster
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/ca/requests/puppetmaster.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.pem'
root@puppetmaster:/etc/apache2# service apache2 restart
* Restarting web server apache2 [ OK ]
root@puppetmaster:/etc/apache2#
###We must regnerate each nodes request keys?###
###Now I have only one node(puppetclient), but what if there are hundreds of servers?###
###http://docs.puppetlabs.com/puppet/4.1/reference/ssl_regenerate_certificates.html is saying we should do it^^;###
No comments:
Post a Comment