On Aug 18, 2013, at 7:06 PM, Pete Brown <[email protected]> wrote:
> Hi everyone, > > I am attempting to use FreeIPA as the external CA for my puppet environment. > I can get puppetmaster running under pasenger using certs stored in an > nss db and puppet to work with standard pem encoded x509s issued from > FreeIPA. > I also got the Foreman working with those certs but i am having some > issues getting puppet to get node data out of Foreman. > It gives me this error when i try to query a node > > Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden > > I haven't started investigating that so that may be a simple fix. > The main problem is getting puppetdb working. > I have puppetdb 1.4 installed on Fedora 19 and it uses the new method > of using pem certs instead of keystore which i thought would make this > easier but I was wrong. > I have it setup with the puppetmaster and ca certs. > The certificates I have are setup with CN=puppet_fqdn > subjectAltName=puppetmaster/$puppet_fqdn subjectAltName=$puppet_fqdn > > PuppetBD starts up but crashes after while with this error in the log file. > > 2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM > object of type 'class > org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject' > from '/etc/ipa/ca.crt' > 2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM > object of type 'class > org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey' > from '/etc/puppetdb/ssl/private.pem' > 2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught exception > java.lang.IllegalArgumentException: No matching field found: > getPrivate for class > org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey > at clojure.lang.Reflector.getInstanceField(Reflector.java:271) > at clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300) > at com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58) > at com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132) > at > com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240) > at > com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260) > at > com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374) > at > com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403) > at clojure.lang.RestFn.invoke(RestFn.java:421) > at clojure.lang.Var.invoke(Var.java:419) > at clojure.lang.AFn.applyToHelper(AFn.java:163) > at clojure.lang.Var.applyTo(Var.java:532) > at clojure.core$apply.invoke(core.clj:617) > at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79) > at clojure.lang.RestFn.applyTo(RestFn.java:137) > at com.puppetlabs.puppetdb.core.main(Unknown Source) > > I am unsure which field it is trying to find in the cert so I have no > idea how to fix it. > Can someone please point me in the right direction? Thanks for the stacktrace...that should help us triangulate the issue. Unfortunately, with Puppetconf all this week, nearly all the people within Puppet Labs who can look at this will be out. Can you file an issue against PuppetDB for this? What would be even better is if you could attach some sample .pem files that exhibit the issue. Then we can load those up on our end to see where things are going wrong. Cheers, deepak > > Thanks in advance. > Pete. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
