Package: puppetmaster-passenger Severity: normal Tags: patch
Hi, the postinst script of puppetmaster-passenger tries to get a lot of information by querying the current puppet configuration via "puppet config print $key". By default puppet config will present the configuration values from the user mode. As I suppose that puppetmaster-passenger is always used in the context of a puppetmaster it should therefore query the master section of the puppet configuration. To clarify this a bit please follow this example setup: - one host which acts as puppetmaster and has also a local puppet agent - the puppetmaster have to use in it's certificates the FQDN under which servicename he his is known by the other puppet agents and configured as a CNAME to that host in the DNS. For example: puppetmaster01.example.org - the local puppet agent on that host likes to use his FQDN. For example: host01.example.org So you will end up with a puppet.conf with these lines: [master] certname=puppetmaster01.example.org [agent] certname=host01.example.org This will work for the puppet agent and the built in puppetmaster. As you install puppetmaster-passenger, the postinst script will now query the puppet config and ends up with the default certname which is the FQDN of that host (host01.example.org). Therefore the apache vhost for passenger will use for example. SSLCertificateFile /etc/puppet/ssl/certs/host01.example.org.pem Which is the certificate of the agent and not the master. This even will get worse if for whatever reason the FQDN of the host is neither the certname of the master nor the agent. In order to query the configuration which is set for the master you should add the commandline option which specify the mode for puppet (user, agent, master). Older versions of puppet have the option "--mode". I tested this with puppet 2.7.11 an prepared the attached patch called 2.7.11.patch Since version 3.0.0rc1 this option is changed to --run_mode. The commit where it was introduced to the manpage is: http://anonscm.debian.org/gitweb/?p=pkg-puppet/puppet.git;a=commit;h=fdf1d9e3b5e2231daf5ddf26f1460e1dbb3c972a It's still there at the head of master. I tried this with a puppet version 3.1.0 but it fails and said that this option is unknown. Unfortunately I have no newer version here to check if --run_mode is working in later versions. Nevertheless I also attached a patch which uses this option in the case it's now working, please see 3.1.0.patch. Cheers, Andreas -- Andreas Rütten mailto:andreasruet...@gmx.de xmpp:andreasruet...@gmx.de irc://irc.oftc.net/aruetten 4096R: 0x6C9DFFB2 / 8394 99DA 59BD BCE2 3FC8 3A9E 6633 0089 6C9D FFB2
From bab0c3790030bbfff4c54dab2cafd88d5a051604 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20R=C3=BCtten?= <andreasruet...@gmx.de>
Date: Thu, 12 Sep 2013 19:25:34 +0200
Subject: [PATCH] Use mode master for querying SSL configuration information
As this is the postinst script of the puppetmaster-passanger it makes sense
to use the SSL configuration parameter which are set for the puppetmaster.
On default puppet-config will query with mode user.
---
debian/puppetmaster-passenger.postinst | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/debian/puppetmaster-passenger.postinst b/debian/puppetmaster-passenger.postinst
index 546df4d..be1eea1 100644
--- a/debian/puppetmaster-passenger.postinst
+++ b/debian/puppetmaster-passenger.postinst
@@ -51,7 +51,7 @@ if [ "$1" = "configure" ]; then
# The ssl key and cert need to be available (eg generated) before
# apache2 is configured and started since apache2 ssl configuration
# uses the puppetmaster ssl files.
- if [ ! -e "$(puppet config print hostcert)" ]; then
+ if [ ! -e "$(puppet config print hostcert --mode master)" ]; then
puppet cert generate $(puppet config print certname)
fi
@@ -59,11 +59,11 @@ if [ "$1" = "configure" ]; then
if [ ! -e "${APACHE2_SITE_FILE}" ]; then
tempfile=$(mktemp)
sed -r \
- -e "s|(SSLCertificateFile\s+).+$|\1$(puppet config print hostcert)|" \
- -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet config print hostprivkey)|" \
- -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet config print localcacert)|" \
- -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet config print localcacert)|" \
- -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet config print cacrl)|" \
+ -e "s|(SSLCertificateFile\s+).+$|\1$(puppet config print hostcert --mode master)|" \
+ -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet config print hostprivkey --mode master)|" \
+ -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet config print localcacert --mode master)|" \
+ -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet config print localcacert --mode master)|" \
+ -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet config print cacrl --mode master)|" \
-e "/RailsAutoDetect/d" \
-e "/RackAutoDetect/d" \
/usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
--
1.7.9.5
From ec7b557703ca98e6cb5ec707f43345553f5de5cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20R=C3=BCtten?= <andreasruet...@gmx.de>
Date: Thu, 12 Sep 2013 19:28:14 +0200
Subject: [PATCH] Use mode master for querying SSL configuration information
As this is the postinst script of the puppetmaster-passanger it makes sense
to use the SSL configuration parameter which are set for the puppetmaster.
On default puppet-config will query with mode user.
---
debian/puppetmaster-passenger.postinst | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/debian/puppetmaster-passenger.postinst b/debian/puppetmaster-passenger.postinst
index 546df4d..9ea8650 100644
--- a/debian/puppetmaster-passenger.postinst
+++ b/debian/puppetmaster-passenger.postinst
@@ -51,7 +51,7 @@ if [ "$1" = "configure" ]; then
# The ssl key and cert need to be available (eg generated) before
# apache2 is configured and started since apache2 ssl configuration
# uses the puppetmaster ssl files.
- if [ ! -e "$(puppet config print hostcert)" ]; then
+ if [ ! -e "$(puppet config print hostcert --run_mode master)" ]; then
puppet cert generate $(puppet config print certname)
fi
@@ -59,11 +59,11 @@ if [ "$1" = "configure" ]; then
if [ ! -e "${APACHE2_SITE_FILE}" ]; then
tempfile=$(mktemp)
sed -r \
- -e "s|(SSLCertificateFile\s+).+$|\1$(puppet config print hostcert)|" \
- -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet config print hostprivkey)|" \
- -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet config print localcacert)|" \
- -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet config print localcacert)|" \
- -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet config print cacrl)|" \
+ -e "s|(SSLCertificateFile\s+).+$|\1$(puppet config print hostcert --run_mode master)|" \
+ -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet config print hostprivkey --run_mode master)|" \
+ -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet config print localcacert --run_mode master)|" \
+ -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet config print localcacert --run_mode master)|" \
+ -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet config print cacrl --run_mode master)|" \
-e "/RailsAutoDetect/d" \
-e "/RackAutoDetect/d" \
/usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
--
1.7.9.5
signature.asc
Description: PGP signature
