SSL » History » Version 6
Jacob McCann, 03/22/2012 03:31 PM
| 1 | 1 | Ohad Levy | h1. SSL setup |
|---|---|---|---|
| 2 | |||
| 3 | The smart proxy can work in SSL mode, where both sides verify and trust each other. |
||
| 4 | |||
| 5 | h2. Configure SSL certificates |
||
| 6 | |||
| 7 | This request will only be accepted if the SSL certificates match. Therefore the client's private key grants access to proxy's funtionality, so protect it. |
||
| 8 | |||
| 9 | As this tool is meant to interoperate with a puppet installation I suggest that you use the Certificate Authority provided by a puppet server as your CA. |
||
| 10 | |||
| 11 | # Login to your puppetmaster, which has a Certificate Authority |
||
| 12 | # Use the puppet tools to create a new certificate |
||
| 13 | <pre><code> |
||
| 14 | puppetca --generate <proxy-FQDN> |
||
| 15 | </pre></code> |
||
| 16 | # Copy the certificate keys to your Windows host |
||
| 17 | <pre><code> |
||
| 18 | scp puppetmaster:/var/lib/puppet/ssl/ca/signed/<proxy-FQDN>.pem signed.pem |
||
| 19 | scp puppetmaster:/var/lib/puppet/ssl/private_keys/<proxy-FQDN>.pem private.pem |
||
| 20 | </pre></code> |
||
| 21 | # Copy the ssl/certs/ca.pem from any puppet client to the smart-proxy\config directory. This ensures that the proxy trusts the same CA as a puppet client. |
||
| 22 | 2 | Corey Osman | |
| 23 | h2. Troubleshooting |
||
| 24 | |||
| 25 | <pre> |
||
| 26 | Unable to save |
||
| 27 | Unable to communicate with the proxy: No such file or directory - /.puppet/var/ssl/certs/foremanserver.domainname.corp.pem |
||
| 28 | Please check the proxy is configured and running on the host before saving. |
||
| 29 | </pre> |
||
| 30 | 3 | Corey Osman | |
| 31 | Workaround |
||
| 32 | 5 | Corey Osman | # mkdir /.puppet |
| 33 | # ln -s /var/lib/puppet/ /.puppet/var |
||
| 34 | 4 | Corey Osman | # add foreman, foreman-proxy to puppet group |
| 35 | # chmod -R 640 /var/lib/puppet/ssl/private_keys |
||
| 36 | # chgrp -R puppet /var/lib/puppet/ssl/private_keys |
||
| 37 | # |
||
| 38 | 6 | Jacob McCann | |
| 39 | *Example 2:* |
||
| 40 | I also ran into this issue ... here is my breakdown of it. |
||
| 41 | |||
| 42 | This seems to stem from the foreman webserver needing access to it's certificate. It looks for it down the webuser home directory for .puppet which somewhat is supposed to mimic the puppetdir. |
||
| 43 | |||
| 44 | So for my SLES system which: |
||
| 45 | * Webuser - wwwrun |
||
| 46 | * Webuser homedir - /var/lib/wwwrun |
||
| 47 | * Puppet dir - /etc/puppet |
||
| 48 | |||
| 49 | Looks in /var/lib/wwwrun/.puppet/ssl/certs |
||
| 50 | |||
| 51 | So I needed to: |
||
| 52 | <pre> |
||
| 53 | add wwwrun to puppet group |
||
| 54 | cd /var/lib/wwwrun |
||
| 55 | ln -s /etc/puppet .puppet |
||
| 56 | chgrp -R puppet /etc/puppet/ssl/private_keys |
||
| 57 | chmod 640 /etc/puppet/ssl/private_keys/* |
||
| 58 | </pre> |