Ahh. I need to get it working before the end of the week so I think I will switch it to self generated certs and try to get the FreeIPA certs working later.
I will submit a bug after I get this new environment setup. On 19 August 2013 11:23, Deepak Giridharagopal <[email protected]> wrote: > On Aug 18, 2013, at 7:06 PM, Pete Brown <[email protected]> wrote: > >> Hi everyone, >> >> I am attempting to use FreeIPA as the external CA for my puppet environment. >> I can get puppetmaster running under pasenger using certs stored in an >> nss db and puppet to work with standard pem encoded x509s issued from >> FreeIPA. >> I also got the Foreman working with those certs but i am having some >> issues getting puppet to get node data out of Foreman. >> It gives me this error when i try to query a node >> >> Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden >> >> I haven't started investigating that so that may be a simple fix. >> The main problem is getting puppetdb working. >> I have puppetdb 1.4 installed on Fedora 19 and it uses the new method >> of using pem certs instead of keystore which i thought would make this >> easier but I was wrong. >> I have it setup with the puppetmaster and ca certs. >> The certificates I have are setup with CN=puppet_fqdn >> subjectAltName=puppetmaster/$puppet_fqdn subjectAltName=$puppet_fqdn >> >> PuppetBD starts up but crashes after while with this error in the log file. >> >> 2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM >> object of type 'class >> org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject' >> from '/etc/ipa/ca.crt' >> 2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM >> object of type 'class >> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey' >> from '/etc/puppetdb/ssl/private.pem' >> 2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught exception >> java.lang.IllegalArgumentException: No matching field found: >> getPrivate for class >> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey >> at clojure.lang.Reflector.getInstanceField(Reflector.java:271) >> at >> clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300) >> at com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58) >> at com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132) >> at >> com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240) >> at >> com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260) >> at >> com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374) >> at >> com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403) >> at clojure.lang.RestFn.invoke(RestFn.java:421) >> at clojure.lang.Var.invoke(Var.java:419) >> at clojure.lang.AFn.applyToHelper(AFn.java:163) >> at clojure.lang.Var.applyTo(Var.java:532) >> at clojure.core$apply.invoke(core.clj:617) >> at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79) >> at clojure.lang.RestFn.applyTo(RestFn.java:137) >> at com.puppetlabs.puppetdb.core.main(Unknown Source) >> >> I am unsure which field it is trying to find in the cert so I have no >> idea how to fix it. >> Can someone please point me in the right direction? > > Thanks for the stacktrace...that should help us triangulate the issue. > Unfortunately, with Puppetconf all this week, nearly all the people within > Puppet Labs who can look at this will be out. > > Can you file an issue against PuppetDB for this? What would be even better is > if you could attach some sample .pem files that exhibit the issue. Then we > can load those up on our end to see where things are going wrong. > > Cheers, > deepak > >> >> Thanks in advance. >> Pete. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
