The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #7144

puppetd cannot create new private key if hostprivatekey/privatekeydir have permissions configured in /etc/puppet/puppet.conf

Added by Matt Wise over 3 years ago. Updated over 1 year ago.

Status:ClosedStart date:04/18/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SSL
Target version:2.6.13
Affected Puppet version:2.6.5 Branch:https://github.com/MaxMartin/puppet/tree/ticket/2.6.x/7144-private-keys
Keywords: customer

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

Our servers set their puppet private keys with some unique permissions because we use the keys for several purposes. This works fine once the keys are created, but if we have to wipe the key dir and re-start on a node Puppet complains unless we remove the lines from the puppet.conf. For example, here are the lines in the puppet.conf that cause the problem:

  • # explicitly set the permissions of this tree to readable by anyone in the puppet group
  • privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group = service, mode = 750 } +
  • # The default value is ‘$privatekeydir/$certname.pem’.
  • hostprivkey = $privatekeydir/$certname.pem { owner = service, group = service, mode = 640 }

With those lines in place, and the SSL directory wiped clean (ie, fresh install):

Executing [/usr/bin/puppet agent —server puppet.mydomain.com -t —detailed-exitcodes] info: Creating a new SSL key for test.dc1.prod.mydomain.com err: Could not request certificate: Could not write /var/lib/puppet/ssl/private_keys/test.dc1.prod.mydomain.com.pem to privatekeydir: can’t convert String into Integer Exiting; failed to retrieve certificate and waitforcert is disabled Returned value: 1

This happens every single time. If we remove those lines from the config, the puppet key generation works properly and the puppet run succeeds (which then adds those lines back in to the config, which ultimately sets the proper permissions on those files).

OS: CentOS 5.5 Puppet Version: 2.6.5

History

#1 Updated by Matt Wise over 3 years ago

Anyone taking a look at this? This seems pretty easy to reproduce..

#2 Updated by James Turnbull over 3 years ago

  • Category set to SSL
  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Nigel Kersten
  • Affected Puppet version set to 2.6.5

#3 Updated by Nigel Kersten over 3 years ago

are you saying you have this actual line in your config file?

privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group = service, mode = 750 } +

#4 Updated by Matt Wise over 3 years ago

I think I do.. although I dont think that Plus symbol is there (im not sure right now). I have it setup this way though so that other programs whose user is in the ‘puppet’ group can read the puppet SSL cert and private keys.

#5 Updated by Nigel Kersten over 3 years ago

I’m just confused, as as far as I’m aware we don’t have any support for the contents between the curly braces in the puppet.conf file…

#6 Updated by Matt Wise over 3 years ago

Apparently you do :). Here’s the actual config from one of my hosts. Additionally, the format is documented in the configuration doc on the website:

[root@fds103 log]# cat /etc/puppet/puppet.conf 
#######################################################################################################################
# THIS FILE IS MANAGED BY PUPPET, DO NOT EDIT MANUALLY
#######################################################################################################################

[main]
    # the server name of the main puppet server (used when doing 'puppet agent -t', so you dont have to add --server)
    server = puppet

    # Where Puppet stores dynamic and growing data.
    # The default value is '/var/puppet'.
    vardir = /var/lib/puppet

    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

    factpath = $vardir/lib/facter

    # sync down any plugins necessary
    pluginsync = true 

    # make sure we always generate a local graph
    graph = true

    # explicitly set the permissions of this tree to readable by anyone in the puppet group
    privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group = service, mode = 750 }

    # The default value is '$privatekeydir/$certname.pem'.
    hostprivkey = $privatekeydir/$certname.pem { owner = service, group = service, mode = 640 }

[agent]
    # do NOT listen on port 8139 for connections from clients
    listen = false

    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

    report      = true
    reportfrom      = puppet-reports 
    filetimeout     = 0
    environment     = production


http://docs.puppetlabs.com/references/2.6.8/configuration.html#file-format
[main]
    myfile = /tmp/whatever {owner = root, mode = 644}

#7 Updated by Nigel Kersten over 3 years ago

Wow. A quick straw poll of the office only turned up one person who knew we had this feature.

This is going to take some investigation… as I’m sure we have more bugs around this feature.

#8 Updated by Chris Phillips over 3 years ago

Hi Nigel, remember advising me about setting key rights last week on the mailing list so nagios could use the certs? Well I’m hitting this issue now as well. A fix would be nice.

#9 Updated by Nigel Kersten over 3 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee deleted (Nigel Kersten)
  • Target version set to 2.6.x

#10 Updated by Matt Robinson over 3 years ago

This is now on our backlog for things to fix. There’s a deadline on some items ahead of it, but it should get some development attention in the next week or two.

Also, the docs that were referred to are here, and definitely do mention this curly brace syntax. http://docs.puppetlabs.com/references/stable/configuration.html#configuration-files

#11 Updated by Anonymous over 3 years ago

  • Status changed from Accepted to In Topic Branch Pending Review
  • Branch set to https://github.com/MaxMartin/puppet/tree/ticket/2.6.x/7144-private-keys

We believe we’ve found a fix for this issue; it’s available on my fork of puppet under the ticket/2.6.x/7144-private-keys branch (https://github.com/MaxMartin/puppet/tree/ticket/2.6.x/7144-private-keys). If you can try this out and let us know whether it works, we can merge it into the next maintenance release.

#12 Updated by Matt Robinson over 3 years ago

Didn’t get any user feedback on this solution, but this seems to fix the issue that we could reproduce and it passes tests, so I’ve merged it. commit:b268fb3d4cca79bdce0adc7da8b4d47f20769521

#13 Updated by Matt Robinson over 3 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release

#14 Updated by Michael Stahnke over 3 years ago

  • Status changed from Merged - Pending Release to Closed

Released as part of 2.7.3rc1

#15 Updated by Michael Stahnke over 3 years ago

  • Status changed from Closed to Merged - Pending Release

Does this need to be targetted at 2.6.x?

#16 Updated by Nigel Kersten over 3 years ago

Yes. Target version isn’t multi-valued, but it does need to be targeted at 2.6.x due to a paying customer request.

#17 Updated by James Turnbull over 3 years ago

  • Target version changed from 2.6.x to 2.6.10

#18 Updated by Matthaus Owens almost 3 years ago

  • Status changed from Merged - Pending Release to Closed
  • Target version changed from 2.6.10 to 2.6.13

released in 2.6.13rc1

#19 Updated by Charlie Sharpsteen over 1 year ago

  • Keywords set to customer

Also available in: Atom PDF