Bug #2500
puppetmaster should not load certs when not running under webrick
| Status: | Accepted | Start date: | 08/05/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | 0.25.0rc1 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
when running with puppetca false option, the following is observed on a client:
err: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error
and on the server:
1.2.3.4 - - [05/Aug/2009:13:44:02 +0800] "GET /development/certificate_revocation_list/ca HTTP/1.1" 500 9451 "-" "-" Aug 5 13:44:11 hostname puppetd[23354]: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error
this happens when running the puppetmaster and puppetd on the same machine.
Related issues
History
Updated by James Turnbull almost 3 years ago
- Category set to SSL
- Status changed from Unreviewed to Accepted
- Target version set to 0.25.0
Updated by Brice Figureau almost 3 years ago
Ohad Levy wrote:
when running with puppetca false option, the following is observed on a client: […]
and on the server: […]
this happens when running the puppetmaster and puppetd on the same machine.
Can you reproduce the issue with a puppetmaster running —trace and —debug, and provide your server error log (and apache logs too) ?
Updated by Luke Kanies almost 3 years ago
- Status changed from Accepted to Needs More Information
- Assignee set to Ohad Levy
I can’t reproduce this. Any more information you can give? Stack traces, etc.?
Updated by Ohad Levy almost 3 years ago
- Assignee changed from Ohad Levy to Luke Kanies
in 0.24-8, I’ve disabled the access to the SSL directory for puppetmasters that have no ca however in 0.25 (/w passenger) it seems that puppet still want to read the ssl/private keys dir regardless of its role. is this is by design behavior?
backtrace is: Permission denied – /var/lib/puppet/ssl/private_keys/certname.pem
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/key.rb 46 in read'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/key.rb 46 inread'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/ssl_file.rb 86 in find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb 198 infind'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb 51 in find'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb 130 inkey'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb 170 in certificate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb 27 ininit_localhost'
/usr/lib/ruby/site_ruby/1.8/puppet/util/cacher.rb 106 in send'
/usr/lib/ruby/site_ruby/1.8/puppet/util/cacher.rb 106 incached_value'
/usr/lib/ruby/site_ruby/1.8/puppet/util/cacher.rb 46 in localhost'
/usr/lib/ruby/site_ruby/1.8/puppet/application/puppetmasterd.rb 93 inmain'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb 226 in send'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb 226 inrun_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb 217 in run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb 306 inexit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb 217 in run'
config.ru 17
/usr/lib/ruby/gems/1.8/gems/passenger-2.2.2/vendor/rack-1.0.0-git/lib/rack/builder.rb 29 ininstance_eval'
/usr/lib/ruby/gems/1.8/gems/passenger-2.2.2/vendor/rack-1.0.0-git/lib/rack/builder.rb 29 in initialize'
config.ru 1 innew'
config.ru
Updated by James Turnbull almost 3 years ago
Luke?
Updated by Luke Kanies almost 3 years ago
- Assignee changed from Luke Kanies to Ohad Levy
I still can’t reproduce this. When you say you’ve disabled access to the keys, what do you mean? Have you changed the default permissions or something?
Updated by Ohad Levy almost 3 years ago
Luke Kanies wrote:
I still can’t reproduce this. When you say you’ve disabled access to the keys, what do you mean? Have you changed the default permissions or something?
What i did was simply to upgrade an existing 0.24-8 with passenger to RC1. (and yes, the permissions did not allow the puppet service user to read the certificates).
the real question from my side is, why does puppet needs to read the certificate information at all when used without a CA. Apache takes care for the SSL stuff, so why would it be required at all?
Updated by Ohad Levy almost 3 years ago
- Assignee changed from Ohad Levy to Luke Kanies
Updated by Luke Kanies almost 3 years ago
- Subject changed from puppetmaster failes when not running as a ca to puppetmaster should not load certs when not running under webrick
- Status changed from Needs More Information to Accepted
- Assignee deleted (
Luke Kanies) - Target version changed from 0.25.0 to 2.6.0
Ohad Levy wrote:
Luke Kanies wrote:
I still can’t reproduce this. When you say you’ve disabled access to the keys, what do you mean? Have you changed the default permissions or something?
What i did was simply to upgrade an existing 0.24-8 with passenger to RC1. (and yes, the permissions did not allow the puppet service user to read the certificates).
the real question from my side is, why does puppet needs to read the certificate information at all when used without a CA. Apache takes care for the SSL stuff, so why would it be required at all?
I didn’t realize – this is only for use with Passenger?
You’re right that it shouldn’t need access to that information, but I think it will work now based on the changes I just made, and I’d rather not fix the larger issue (that puppetmasterd shouldn’t read the certs when running under passenger) this late in the release cycle.
I’ll rename this ticket and bump it, given that I think it should work now.
Updated by James Turnbull over 2 years ago
- Target version changed from 2.6.0 to 2.7.x