Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Feature) Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem #140

Open
elyscape opened this issue Feb 26, 2015 · 6 comments
Open

(Feature) Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem #140

elyscape opened this issue Feb 26, 2015 · 6 comments
Labels
enhancement New feature or request

Comments

@elyscape
Copy link
Contributor

Currently, the webhook defaults to using the pe-internal-peadmin-mcollective-client SSL certificate. It would make more sense to generate an SSL cert specifically for the webhook.
@acidprime acidprime added this to the Version 3.0 milestone Feb 26, 2015
@acidprime
Copy link
Collaborator

I totally agree on this one , adding this to 4.0 milestone

@acidprime acidprime added the enhancement New feature or request label Feb 26, 2015
@acidprime acidprime changed the title Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem [Enhancement] Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem Apr 21, 2015
@acidprime acidprime changed the title [Enhancement] Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem [Feature] Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem Apr 21, 2015
@acidprime acidprime removed this from the Version 3.0 milestone Jul 31, 2015
@acidprime acidprime changed the title [Feature] Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem (Feature) Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem Aug 3, 2015
@rnelson0
Copy link
Member

In the meantime, the readme points to public_key_path => '/etc/mcollective/server_public.pem', # Mandatory for FOSS which is not part of the puppet-agent FOSS package. There are a number of other pem files available, is a pair of these suitable to use instead?

[root@puppet ~]# find / -name *.pem
/opt/puppetlabs/puppet/ssl/cert.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/GeoTrustGlobalCA.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/net-ssh-2.9.2/net-ssh-public_cert.pem
/etc/vmware-tools/GuestProxyData/server/key.pem
/etc/vmware-tools/GuestProxyData/server/cert.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/tls/cert.pem
/etc/puppetlabs/puppet/ssl/private_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/puppetlabs/puppet/ssl/crl.pem
/etc/puppetlabs/puppet/ssl/public_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
/etc/puppetlabs/puppet/ssl/ca/signed/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
/etc/puppetlabs/puppet/ssl/ca/ca_key.pem
/etc/puppetlabs/puppet/ssl/ca/ca_pub.pem
/etc/puppetlabs/puppetdb/ssl/private.pem
/etc/puppetlabs/puppetdb/ssl/ca.pem
/etc/puppetlabs/puppetdb/ssl/public.pem

@rnelson0
Copy link
Member

@acidprime @elyscape I was able to use the puppetdb private/public pair (it didn't like the master's public/private). If someone can point me at how to generate the pem files properly, I'd be glad to get started on this.

@rnelson0
Copy link
Member

For reference, the puppetdb package in PC1 installation creates the pem files, so you can order it by adding this to your profile containing r10k:

Package['puppetdb'] ->  Service[webhook]

@rnelson0 rnelson0 added the ready label Nov 27, 2016
@kscherer
Copy link

I was able to make the webhook (r10k 2.5.1 with module v4.0.2) work with FOSS (puppetserver 2.7.2) and the puppet certs using the following:

  class {'r10k::webhook::config':
    protected        => false,
    public_key_path  => "/etc/puppetlabs/puppet/ssl/ca/signed/${facts['fqdn']}.pem",
    private_key_path => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['fqdn']}.pem",
    notify           => Service['webhook'],
  }

I also set the webhook user to puppet and it works once I changed the ownership of cache and environment files.

Note: The puppetdb certs are owned by puppetdb with 0600 permissions and are not visible to the puppet user so using the puppetdb certs will require the webhook running as root user.

alexjfisher added a commit to alexjfisher/puppet-r10k that referenced this issue May 8, 2017
@alexjfisher
Pin sinatra gem
0c06378 
Sinatra 2.0.0 was released on the 7th of May 2017.  It requires rack ~>
2.0 and *that* requires ruby 2.2.  Puppet 4 AIO ships with ruby 2.1, so
pin sinatra to prevent errors like.

```
Error: Execution of '/opt/puppetlabs/puppet/bin/gem install --no-rdoc
--no-ri sinatra' returned 1: ERROR:  Error installing sinatra:
        rack requires Ruby version >= 2.2.2.
```

Fixes voxpupuli#140
@alexjfisher alexjfisher mentioned this issue May 8, 2017
Merged
alexjfisher added a commit to alexjfisher/puppet-r10k that referenced this issue May 8, 2017
@alexjfisher
Pin sinatra gem
f9aa997 
Sinatra 2.0.0 was released on the 7th of May 2017.  It requires rack ~>
2.0 and *that* requires ruby 2.2.  Puppet 4 AIO ships with ruby 2.1, so
pin sinatra to prevent errors like.

```
Error: Execution of '/opt/puppetlabs/puppet/bin/gem install --no-rdoc
--no-ri sinatra' returned 1: ERROR:  Error installing sinatra:
        rack requires Ruby version >= 2.2.2.
```

Fixes voxpupuli#140
alexjfisher added a commit to alexjfisher/puppet-r10k that referenced this issue May 8, 2017
@alexjfisher
Pin sinatra gem
2a4ed16 
Sinatra 2.0.0 was released on the 7th of May 2017.  It requires rack ~>
2.0 and *that* requires ruby 2.2.  Puppet 4 AIO ships with ruby 2.1, so
pin sinatra to prevent errors like.

```
Error: Execution of '/opt/puppetlabs/puppet/bin/gem install --no-rdoc
--no-ri sinatra' returned 1: ERROR:  Error installing sinatra:
        rack requires Ruby version >= 2.2.2.
```

Fixes voxpupuli#140
alexjfisher added a commit to alexjfisher/puppet-r10k that referenced this issue May 9, 2017
@alexjfisher
Pin sinatra gem
312e759 
Sinatra 2.0.0 was released on the 7th of May 2017.  It requires rack ~>
2.0 and *that* requires ruby 2.2.  Puppet 4 AIO ships with ruby 2.1, so
pin sinatra to prevent errors like.

```
Error: Execution of '/opt/puppetlabs/puppet/bin/gem install --no-rdoc
--no-ri sinatra' returned 1: ERROR:  Error installing sinatra:
        rack requires Ruby version >= 2.2.2.
```

Fixes voxpupuli#140
@rnelson0 rnelson0 mentioned this issue May 10, 2017
Merged
@alexjfisher
Copy link
Member

Sorry, I referenced this issue by mistake in one of my commits.

@alexjfisher alexjfisher reopened this May 10, 2017
@dhoppe dhoppe removed the ready label Jan 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@alexjfisher @kscherer @elyscape @dhoppe @acidprime @rnelson0