[Pkg-puppet-devel] Bug#501504: Puppet (puppetca) needs the openssl package to work properly

Stephan Hermann sh at sourcecode.de
Wed Oct 8 10:57:19 UTC 2008


Hi Matthew,

On Wed, 2008-10-08 at 18:43 +1100, Matthew Palmer wrote:
> On Wed, Oct 08, 2008 at 09:20:32AM +0200, Stephan Hermann wrote:
> > On Wed, 2008-10-08 at 11:33 +1100, Matthew Palmer wrote:
> > > On Tue, Oct 07, 2008 at 11:36:44PM +0200, Stephan Hermann wrote:
> > > > Package: puppet
> > > > Version: 0.24.5-2
> > > > 
> > > > Dear Colleagues,
> > > > 
> > > > please add the openssl package to Depends/Recommends/Suggests to the
> > > > puppet package.
> > > > 
> > > > puppetca needs it to sign and generate keyfiles and signatures.
> > > 
> > > That would actually be libopenssl-ruby that's needed, and it'd be a
> > > Recommends on the puppetmaster package, as that's where puppetca lives.  I
> > > could have sworn that used to be in the Recommends, back in the day...
> > 
> > Nope...
> > libopenssl-ruby doesn't work out properly...
> > 
> > I wonder why...I didn't have openssl installed, and puppetca didn't work
> > properly...first after installing openssl puppetca worked as expected.
> 
> So, let's do some basic debugging then.  What operation(s) failed without
> openssl installed, and what error(s) did you see?  The only place I can see
> that the openssl binary is called from puppetca is in puppetca --verify.

Ok,

I installed puppetmaster + puppet (dep of puppetmaster) on server A,
setup a basic site.pp for the manifest...so far it's working.

On Server B I installed puppet only, and did a test connect like:

puppetd --fqdn whatever3 --server puppetmaster --waitforcert 60 --test

puppetmaster now refuses to let the client (whatever3) pass through and
get its config, because server B can't be authenticated.

puppetca on puppetmaster now tells me via

puppetca -l 

that there is a request for signature for an ssl key of "whatever3"
client.

puppetca -s <nodename>

-> no signed request. doesn't work

the call

puppetd --fqdn whatever3 --server syslog01 --waitforcert 60 --test

doesn't work...

after installing openssl on puppetmaster and deleting the files from the
certstore via

puppetca --clean

and 

puppetca --generate <nodename> (signature included)

the client can connect to the puppetmaster and works as expected.

Regards,

\sh







More information about the Pkg-puppet-devel mailing list