Puppet External Certificate: Master Is Not A CA

Question

I am actually trying to see if Puppet can use external certificates because my organization's info security department has came out with a stronger security certificate that I've asked them for a set to see if it works or not. I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them.

The set comprises something like the following:

1. ABCROOTCA2015.pem – ABC Root CA 2015 certificate
2. ABCSERVERCA2015.pem – ABC Server CA 2015 certificate
3. puppet2-64.abc.local.p12 (server) - private key and certificate of glpi-49.abc.local - password: ###
4. glpi-49.abc.local.p12 (agent) - private key and certificate of 10.5.137.175 - password: ###

Since external certs require Apache Passenger to work on this, I've installed the Apache passenger. These two certs above have been placed into their respective folders (/var/lib/puppet/ssl/certs and with another copy the server cert placed at the /private_keys folder.

Given of the two certificate files above, this is my configuration file, Apache end, stored at "/etc/apache2/sites-enabled/puppetmaster" (this is for Ubuntu)

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /var/lib/puppet/ssl/certs/mimosserverca2015.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/mimosserverca2015.pem

        #SSLCertificateChainFile /var/lib/puppet/ssl/certs/mimosrootca2015.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/certs/mimosrootca2015.pem

    # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        #RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd>
            Options None
            AllowOverride None
         # Apply the right behavior depending on Apache version.
            Order allow,deny
            Allow from all
        </Directory>    

#Misc LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.53/xxx.so PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.53 PassengerRuby /usr/bin/ruby1.8

    ErrorLog /var/log/apache2/puppetmaster_ssl_error.log
    CustomLog /var/log/apache2/puppetmaster_ssl_access.log combined

</VirtualHost>

For the puppet.conf at the puppetmaster. I only added the following additional lines:

   [main]
    ca_server = puppet2-64.mimos.local

    [master]
    ca = false
    certname = mimosserverca2015

For one of the agents that is to be tested for this, I've added a ca_server thing in the agent's puppet configuration file. The webrick puppetmaster service has been turned off as the apache2 service has been turned on.

When the agent is executed, Error 400 is shown with the sub-message Master is not a CA.

If I've already defined the host and local root cert inside the puppetmaster file in apache2 folder, shouldn't I be getting the same function as it was usually?

Or is because that the puppetmaster will not take the custom certificate file as its own such that we have to rename that file?

So far I've checked around, but there's not much of material to be checked upon, unless there's steps that might not match my CA setup.

Can anyone help enlighten on this issue? Thanks alot!

M

Answer 1

The error Master is not a CA is caused by the certificate authority function on your Puppet master being disabled, which you're explicitly doing by specifying ca = false in puppet.conf under [master].

Using an external CA is well-covered in the SSL Configuration: External CA Support document. However it includes the following caveat, which is incompatible with your requirement that, "I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them."

These configurations are all-or-nothing rather than mix-and-match. When using an external CA, the built in Puppet CA service must be disabled and cannot be used to issue SSL certificates.

Additionally, Puppet cannot automatically distribute certificates in these configurations — you must have your own complete system for issuing and distributing certificates.

Simply put, when using an external CA with Puppet, you're responsible for signing and distributing the certificates.

(While you could try removing ca = false, it's quite possible that you'll run into problems as it's an unsupported configuration.)

If you put a signed agent cert on your agent system, either replacing the default paths or additionally specifying the host* configuration options, then the agent shouldn't attempt to use the (disabled) CA functions of the Puppet master.