[SERVER-142] ssldir in puppet.conf is not being honoured Created: 2014/11/05 Updated: 2016/09/27 Resolved: 2014/11/14
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
"distdescription"=>"Debian GNU/Linux 7.7 (wheezy)"
puppetserver version: 0.3.0-1puppetlabs1
There's a discrepancy between what --configprint (and the config file) shows and where puppet is looking for certificate requests.
sheela@rugnor:~$ sudo puppet agent -t
This what configprint shows
This is the /etc/puppet/puppet.conf
|Comment by Nate Wolfe [ 2014/11/07 ]|
Thanks for the submission Sheela Nistala. I think you might be running into one of the current shortcomings of Puppet Server - it doesn't automatically pick up configuration changes (like to puppet.conf) without restarting the service. Furthermore, it would actually look like the master in fact did get your config changes when you do puppet master --configprint ssldir.
Did you by chance change the ssldir setting after the Server had been started? That would explain why the error message is looking in the default location of /var/lib/puppet/ssl, but the agent --configprint shows /etc/puppet/ssl.
If this is what is going on, then restarting the Server service would help. At that point you might need to do some SSL cleanup as things could be spread over the two locations.
|Comment by Jeremy Barlow [ 2014/11/07 ]|
Your theory sounds reasonable to me, Nate Wolfe.
It would also be interesting to know if the /var/lib/puppet/ssl/ca/requests/ directory was deleted sometime after the Puppet Server master had started up since the master presumably would have created it if it didn't already exist when it first started up. That is the only scenario under which I could reproduce the ERROR 500 response for a certificate_request PUT. It does seem like the error handling on the master should be a bit more precise here - e.g., check for the existence of the certificate request directory before attempting to save the request to it and, if it doesn't exist, fail with a message indicating that the request could not be stored because the requestdir does not exist.
When I do this with the Ruby CA, for example, I get this error in the agent instead:
|Comment by Sheela Nistala [ 2014/11/12 ]|
Thank you for the reply Nate Wolfe.
Edit: I'm editing this comment because the one made earlier was inaccurate.
|Comment by Nate Wolfe [ 2014/11/12 ]|
Glad you got it working Sheela Nistala!
The Puppet Server will not tolerate missing files/directories as nicely as the Ruby Master, so if deleting the directory used to work, it probably won't anymore. What were you trying to achieve by deleting the directory? There might be a different way to get the same effect now.
|Comment by Jeremy Barlow [ 2014/11/12 ]|
I think Sheela Nistala thought that by deleting the /var/lib/puppet/ssl directory – the originally generated SSL directory that would no longer need to be used – that the master would automatically start using the newly configured /etc/puppet/ssl directory. As you mentioned though, Nate Wolfe, a puppetserver restart is what would be needed in order for the /etc/puppet/ssl directory to start being used because the settings in the puppet.conf file are only read by the puppetserver service at startup.
|Comment by Nate Wolfe [ 2014/11/14 ]|
Sheela Nistala Glad you're past this issue - we're going to mark this as Resolved. Please feel free to reopen the ticket if there are further issues!
|Comment by Sheela Nistala [ 2014/11/18 ]|