[Katello 2.2 RC2 / Foreman 1.8 RC2] Apache puppet certs config issues

Hi folks!

I'm having an issue with the katello-installer:

Syntax error on line 39 of /etc/httpd/conf.d/25-puppet.conf:
SSLCertificateChainFile: file '/var/lib/puppet/ssl/ca/ca_crt.pem' does not
exist or is empty

What module in the katello-installer handles that 25-puppet.conf file?
I've grepped the /usr/share/katello-installer/modules to see about
troubleshooting it further, and can't find where it's being handled from.

Part of the problem is that 'ca' directory doesn't exist; it only gets down
to /var/lib/puppet/ssl/. The only directories in there are the standard:

certificate_requests certs private private_keys public_keys

OS is CentOS 6.6.

Thanks!

/Mike

Info for the benefit of others, as I troubleshoot this further.

katello-installer/modules/foreman/manifest/init.pp sets the
variable $server_ssl_chain, which is used by
katello-installer/modules/foreman/manifest/server.pp

The code which puts the certs there is

class puppet::server {

if $::puppet::server_ca {
$ssl_ca_cert = "${::puppet::server_ssl_dir}/ca/ca_crt.pem"
$ssl_ca_crl = "${::puppet::server_ssl_dir}/ca/ca_crl.pem"
$ssl_chain = "${::puppet::server_ssl_dir}/ca/ca_crt.pem"
} else {
$ssl_ca_cert = "${::puppet::server_ssl_dir}/certs/ca.pem"
$ssl_ca_crl = false
$ssl_chain = false
}

So, there's no ensuring the directory exists in this chunk of code, and in
grepping the modules directory, I can't see any place else where the ensure
might have been set. So, I added the following to my local copy of the
installer module in order to ensure the correct directory existed, and
tested.

Sets up a puppet master.

class puppet::server {

if $::puppet::server_ca {
file { "${::puppet::server_ssl_dir}/ca/":
ensure => "directory",
owner => "${::puppet::user}",
group => "${::puppet::group}",
mode => 755,
}
$ssl_ca_cert = "${::puppet::server_ssl_dir}/ca/ca_crt.pem"
$ssl_ca_crl = "${::puppet::server_ssl_dir}/ca/ca_crl.pem"
$ssl_chain = "${::puppet::server_ssl_dir}/ca/ca_crt.pem"
} else {
$ssl_ca_cert = "${::puppet::server_ssl_dir}/certs/ca.pem"
$ssl_ca_crl = false
$ssl_chain = false
}

This part works; hitting another issue now. More to follow.

/Mike

··· On Monday, 13 April 2015 17:43:17 UTC-4, mkb...@solutionsathand.ca wrote: > > > > Part of the problem is that 'ca' directory doesn't exist; it only gets > down to /var/lib/puppet/ssl/. >

So, with the CA directory created in another post, I'm back to the core
issue that '/var/lib/puppet/ssl/ca/ca_crt.pem' does not exist. In
/var/lib/puppet/ssl/certs I have 'ca.pem' and "$hostname.ca.pem". When I
'cat answers.katello-installer.yaml | grep ca
server_ca_cert:
ca_common_name: katello.domain.ca
node_fqdn: katello.domain.ca
server_ca_name: katello-server-ca
regenerate_ca: "–enable-katello"
ca_expiration: "36500"
default_ca_name: katello-default-ca
capsule:
puppet_ca_proxy: ""
parent_fqdn: katello.domain.ca
puppetca: true
servername: katello.domain.ca
server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt

So, it appears that some step is not occurring to either generate the
ca_crt.pem file or place it in the correct location, or it's not creating a
symlink to where it needs to be.

Any advice? Also, should "server_ca_cert" be blank in the answers file?
How is that set in the installer?

Thanks!

/Mike

··· On Monday, 13 April 2015 17:43:17 UTC-4, mkb...@solutionsathand.ca wrote: > > Hi folks! > > I'm having an issue with the katello-installer: > > Syntax error on line 39 of /etc/httpd/conf.d/25-puppet.conf: > SSLCertificateChainFile: file '/var/lib/puppet/ssl/ca/ca_crt.pem' does not > exist or is empty > > >

Retested with Katello 2.2 RC3, Foreman 1.8 RC3 and Puppet 3.7.5 on CentOS
6.6, and still have the same issues.

  • the /var/lib/puppet/ssl/ca directory is not created.
  • SSLCertificateChainFile: file '/var/lib/puppet/ssl/ca/ca_crt.pem' does
    not exist
  • manually running "puppet master" creates the proper directory
    structure underneath the /var/lib/puppet/ssl/ca/ directory
    (private,requests, signed) and the ca_key.pem and ca_pub.pem files.

Any advice?

Thanks!

/Mike

injecting the hostname into the system as various Katello products were
installed. Blowing away the puppet ssl directory and re-doing all the
certificates manually seems to have fixed the httpd issues. Basically,
I'm re-spinning custom CentOS DVD's with Katello and all it's dependencies
on it for installation via Kickstart recipes in non-Internet connected
environments.

Sorry for the noise.

/Mike

··· On Tuesday, 14 April 2015 15:08:50 UTC-4, mkb...@solutionsathand.ca wrote: > > Retested with Katello 2.2 RC3, Foreman 1.8 RC3 and Puppet 3.7.5 on CentOS > 6.6, and still have the same issues. > > - the /var/lib/puppet/ssl/ca directory is not created. > - SSLCertificateChainFile: file '/var/lib/puppet/ssl/ca/ca_crt.pem' > does not exist > - manually running "puppet master" creates the proper directory > structure underneath the /var/lib/puppet/ssl/ca/ directory > (private,requests, signed) and the ca_key.pem and ca_pub.pem files. > > OK, the overall issue may have been with how our custom Kickstart was