On my puppet master I have a site.pp file that defines the content of some certificates like so ...
$swift_cert_content = '
-----BEGIN CERTIFICATE-----
blhablhadfblhablah...
-----END RSA PRIVATE KEY-----
'
... and I want to write the value of $swift_cert_content to the file /tmp/swift_cert on my puppet master. I have tried this ...
# cat create_cert_files.pp
class create_cert_files (
$swift_cert_content = $::swift_cert_content,
) {
file { '/tmp/swift_cert':
ensure => "file",
content => $swift_cert_content,
}
}
class { 'create_cert_files': }
... and I execute this like so ...
# puppet apply create_cert_files.pp
Notice: Compiled catalog for osc-ppt-001.example.com in environment production in 0.16 seconds
Notice: /Stage[main]/Create_cert_files/File[/tmp/swift_cert]/ensure: created
Notice: Finished catalog run in 0.31 seconds
... but the file is empty:
# ls -l /tmp/swift_cert
-rw-r--r-- 1 root root 0 Aug 26 14:55 /tmp/swift_cert
What am I doing wrong?
I forgot that when one uses puppet apply puppet ignores the site.pp file so I need to do something like this:
# cat /etc/puppetlabs/puppet/manifests/site.pp create_cert_files.pp > runit.pp
# puppet apply runit.pp
Related
Experimenting with Terraform and Ansible deployment. I have a TF template that stands up a VPC and ec2 instances in AWS, and uses cloud-init scripts to prepare the instances. I've tried to upload my own SSH keys from Puttygen in the cloud-init scripts but I am receiving a "key_load_public: invalid format" error when testing Ansible. My cloud init is as follows:
#Add Users
users:
- name: ansadmin
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
groups: [ sudo ]
homedir: /home/ansadmin
shell: /bin/bash
passwd: $6$UwvMBQ9VAUiKDcx$/kIbPH2GxwBbpevZEJtIyjXZIW7KJgth3MXEmxhqNH.TH2yonVMz2Ob7ROD7jGKCagF3iYkYVBnkL.okPkP/d0
ssh-authorized-keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZMMH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3zY9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiNR/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9QUt4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
ssh_keys:
rsa_private: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvV1UuXGnfWvoxoameuCuoUx1yPUeZeORovbzge0SpFctBs0k
Nqp37h8CG8wFADPXxK3xAMDunrY+HVPzQaVDeRlDIF5sRtb0vHS3NN9M6jmQb6W1
l/O3O1Brrp6oIEUxb1JOgCqHMw+48VFOmcdpvGZ4hf7a8w+OUK6XUGhC1A/nv6Dx
4Icv+KhX5OwxrytN7oCyHdQiQpPfB8fMtX31+lE1YBvwtcSJaNc/dOP9ONTYXPwe
fJYenapMTzewl1q+OkImf8DTgz9gmBMxydZdrwutOFrxpzkcVX0KITIyH1r0hTzY
1LEG1z/8qhxijfu49lYZ2YvB2TnlbiCN/9O6+QIDAQABAoIBADbvzbWjIGlFlhmK
VOAPMPqAmSc83Z3HoKe7pzeJVMAyvlBb0Wa+m96MRmtUDBtb7vwTTnjegBuxWWHe
yhLAZEvMpWnNmvIOSKAn6ELBianmG14YoA8+WGkv0p2tT69VA5t9MGMEc4a/x/LS
mNAKR0WuIMcXAeREHhCQJjvgk4q7trbOrKYgKxJsMRFwJXhYW95ZJSXjKuAVj8se
0B5BnVWTFj3cxhgf7DVVuXrb83zIBK+6Ucq4X+nMGy8pLBw+jmcgb/Y3ssXxnh6b
uijvUuc/i4yI9R4OwfV5tkpMFsbh2y74OS2UDfCtYCwiKjOGKEfv1oukfDSlCaqs
2DjgacUCgYEA4/DOCfJVGWmVGsVxsJjg5k8nt/6FdJ4zx7jkvFjZ7UB6QfCmznLs
3BRkX1ZrurRazMYNq56FXT8K6JPHsttwSy6zj/KYRRFhdEUo6EHJSELVZZHr9qIk
duE0Fz+9FddY2jno8jyxA1+tTYudV2lkp1cVVb/UvGQCXSadmJrt+x8CgYEA1Kzc
eRtpbKf+jPxYylqm7gPp3I3K5CgGa1gdjOTS8yc/DBbqPCQkrQe6pMKAaiWjwHz4
y77yYmp1JtsPip7kEm2pSXVfDBmdj+aVBRUm+mDa/lXC1BgG3zaz8MsnuqoMR+19
BO6PXN/yAEau5EnlNK6rD8A3VvvHDzXu/EPHnucCgYEAgLOa4qrdufePpQoO43Ou
qNvQxWcE24/oFMElBeP1SKy7WzgSN0dUzf8FnX8iXM0w56Z8WYasLrZF5oRqoWad
xRWddY24xGbH6+qQ6nMav55c93ipDx0GEcmeq/HlRcvN84n3Ka9zE0CWjc5jDNQJ
bSMSfNRPvf+KBiajnWL9NGkCgYA2d06/dVW6jguS782NhUnbCwWJhoa/h8CdHSP0
QWYE/7gV0IiMfnUmGyShrW5VwO3/DgJpq61Hpxv5p4CDb83ZKlyAg56j6qt/fv4L
Hy+sT8HGARC0YLLh15CdymmSVJpwkVHDQZVVo8TGbVO9A2+/3jvQ/NkvXavNKXLb
CEDHYQKBgQDJczoRCSmIQnloCFonNmCaWIGC7/dAjHU6VeNpbxyUGVqTiMBhG7Mk
XIR454e1RYrielxGlPJZYRmIcK1SmI0sb/obkqbr7qLxrIMrcFqHQLatLlu6rd2K
Url/rg6af1DzvYIrMGop4vbIZhBPeP0iyB9GGxIyE+Hh9VTU1MYEYQ==
-----END RSA PRIVATE KEY-----
rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZMMH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3zY9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiNR/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9QUt4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
write_files:
- content: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS
61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZM
MH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3z
Y9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiN
R/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9Q
Ut4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
path: /home/ansadmin/.ssh/id_rsa.pub
permissions: '0600'
owner: ansadmin:ansadmin
defer: true
- content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvV1UuXGnfWvoxoameuCuoUx1yPUeZeORovbzge0SpFctBs0k
Nqp37h8CG8wFADPXxK3xAMDunrY+HVPzQaVDeRlDIF5sRtb0vHS3NN9M6jmQb6W1
l/O3O1Brrp6oIEUxb1JOgCqHMw+48VFOmcdpvGZ4hf7a8w+OUK6XUGhC1A/nv6Dx
4Icv+KhX5OwxrytN7oCyHdQiQpPfB8fMtX31+lE1YBvwtcSJaNc/dOP9ONTYXPwe
fJYenapMTzewl1q+OkImf8DTgz9gmBMxydZdrwutOFrxpzkcVX0KITIyH1r0hTzY
1LEG1z/8qhxijfu49lYZ2YvB2TnlbiCN/9O6+QIDAQABAoIBADbvzbWjIGlFlhmK
VOAPMPqAmSc83Z3HoKe7pzeJVMAyvlBb0Wa+m96MRmtUDBtb7vwTTnjegBuxWWHe
yhLAZEvMpWnNmvIOSKAn6ELBianmG14YoA8+WGkv0p2tT69VA5t9MGMEc4a/x/LS
mNAKR0WuIMcXAeREHhCQJjvgk4q7trbOrKYgKxJsMRFwJXhYW95ZJSXjKuAVj8se
0B5BnVWTFj3cxhgf7DVVuXrb83zIBK+6Ucq4X+nMGy8pLBw+jmcgb/Y3ssXxnh6b
uijvUuc/i4yI9R4OwfV5tkpMFsbh2y74OS2UDfCtYCwiKjOGKEfv1oukfDSlCaqs
2DjgacUCgYEA4/DOCfJVGWmVGsVxsJjg5k8nt/6FdJ4zx7jkvFjZ7UB6QfCmznLs
3BRkX1ZrurRazMYNq56FXT8K6JPHsttwSy6zj/KYRRFhdEUo6EHJSELVZZHr9qIk
duE0Fz+9FddY2jno8jyxA1+tTYudV2lkp1cVVb/UvGQCXSadmJrt+x8CgYEA1Kzc
eRtpbKf+jPxYylqm7gPp3I3K5CgGa1gdjOTS8yc/DBbqPCQkrQe6pMKAaiWjwHz4
y77yYmp1JtsPip7kEm2pSXVfDBmdj+aVBRUm+mDa/lXC1BgG3zaz8MsnuqoMR+19
BO6PXN/yAEau5EnlNK6rD8A3VvvHDzXu/EPHnucCgYEAgLOa4qrdufePpQoO43Ou
qNvQxWcE24/oFMElBeP1SKy7WzgSN0dUzf8FnX8iXM0w56Z8WYasLrZF5oRqoWad
xRWddY24xGbH6+qQ6nMav55c93ipDx0GEcmeq/HlRcvN84n3Ka9zE0CWjc5jDNQJ
bSMSfNRPvf+KBiajnWL9NGkCgYA2d06/dVW6jguS782NhUnbCwWJhoa/h8CdHSP0
QWYE/7gV0IiMfnUmGyShrW5VwO3/DgJpq61Hpxv5p4CDb83ZKlyAg56j6qt/fv4L
Hy+sT8HGARC0YLLh15CdymmSVJpwkVHDQZVVo8TGbVO9A2+/3jvQ/NkvXavNKXLb
CEDHYQKBgQDJczoRCSmIQnloCFonNmCaWIGC7/dAjHU6VeNpbxyUGVqTiMBhG7Mk
XIR454e1RYrielxGlPJZYRmIcK1SmI0sb/obkqbr7qLxrIMrcFqHQLatLlu6rd2K
Url/rg6af1DzvYIrMGop4vbIZhBPeP0iyB9GGxIyE+Hh9VTU1MYEYQ==
-----END RSA PRIVATE KEY-----
path: /home/ansadmin/.ssh/id_rsa
permissions: '0600'
owner: ansadmin:ansadmin
defer: true
- content: |
ansadmin ALL=(ALL) NOPASSWD: ALL
path: /etc/sudoers
append: true
If I replace the key using "ssh-keygen", I can use "ssh-copy-id" to the client node with no errors - so I presume something must be wrong with my format coming from Puttygen. The literal format - how the Puttygen public key is laid out in id_rsa.pub - looks exactly the same as the key produced by ssh-keygen. Any thoughts?
I solved it on my own by just copying a key directly from ssh-keygen instead. Not sure why the Puttygen key didn't work, but whatever works!
Note: I will regenerate all passwords and certs in my final install since I have provided all that information here. Also I have asked the same question here
https://discuss.elastic.co/t/kibana-ssl-pem-error-on-windows/117851/2
Environment
Windows 10 Enterprises
Elasticsearch Version : 6.1.1 (elasticsearch-6.1.1.zip)
Kibana Version: 6.1.1 (kibana-6.1.1-windows-x86_64.zip)
Problem:
I am trying to enabled SSL in kibana and I am running into an issue. I cant for the life of me figure out what I have done wrong. Here are the steps I have taken so far.
0) Create Yaml file use with the certutil --in flag.
instances:
- name: node1
dns: ['node1.local']
- name: devws-kibana
dns: ['devws-kibana.local']
1) Declare variables for use in powershell commands
$root = "C:\working\elasticsearch"
[Version]$esVersion = "6.1.1"
$es = "$root\elasticsearch-$($esVersion.ToString())"
$esService = "elasticsearch_$($esVersion.ToString() -replace '\.','')"
[Version]$KibanaVersion = "6.1.1"
$kibana = "$root\kibana-$($KibanaVersion.ToString())-windows-x86_64"
$kibanaService = "elasticsearch-kibana$($KibanaVersion.ToString() -replace '\.','')"
2) Install x-pack in elasticsearch
`&"$es\bin\elasticsearch-plugin.bat" install x-pack --batch`
3) Create a Self Signed CA certificate.
&"$es\bin\x-pack\certutil.bat" ca --silent --pass password --ca-dn "CN=Elasticsearch-DevWS" --pem --out "$root\elastic-stack-ca.zip"
Expand-Archive -Path "$root\elastic-stack-ca.zip" -OutputPath "$root\certs"
4) Create a cert for elasticsearch and kibana
&"$es\bin\x-pack\certutil.bat" cert --silent --pem --ca-cert "$root\certs\ca\ca.crt" --ca-key "$root\certs\ca\ca.key" -in "$root\instances.yml" --ca-pass password --pass password --out "$root\certificate-bundle.zip"
Expand-Archive -Path "$root\certificate-bundle.zip" -OutputPath "$root\certs"
5) Copy Certs to proper directories
Copy-Item -Path "$root\certs\ca\ca.crt" -Destination "$es\config\certs\ca.crt"
Copy-Item -Path "$root\certs\node1\*" -Destination "$es\config\certs\"
Copy-Item -Path "$root\certs\ca\ca.crt" -Destination "$kibana\config\certs\ca.crt"
Copy-Item -Path "$root\certs\devws-kibana\*" -Destination "$kibana\config\certs\"
6) Update Elasticsearch.yml to below
cluster.name: WRK001
node.name: node1
network.host: node1.local
http.port: 9210
discovery.zen.ping.unicast.hosts: [ 'node1.local' ]
processors: 2
node.master: true
node.data: true
node.max_local_storage_nodes: 1
xpack.ssl.key: certs/node1.key
xpack.ssl.certificate: certs/node1.crt
xpack.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.http.ssl.enabled: true
xpack.ssl.key_passphrase: password
7) Add secure key passphrase to keystore
"password" | &"$es\bin\elasticsearch-keystore.bat" add xpack.ssl.secure_key_passphrase --stdin
&"$es\bin\elasticsearch-keystore.bat" list
8) Start Elasticsearch
9) Set password for build in accounts
$url = https://node1.local:9210/
$output = & cmd.exe /C "$es\bin\x-pack\setup-passwords.bat auto --url $url -batch" 2>&1
Write-Host -ForegroundColor Green -BackgroundColor Black $output
10) Parse passwords from response and save to temp files.
$elasticPassword = ($output | Select-String -Pattern "^PASSWORD\selastic\s=\s(.*)$" -AllMatches).Matches[0].Groups[1].Value
$kibanaPassword = ($output | Select-String -Pattern "^PASSWORD\skibana\s=\s(.*)$" -AllMatches).Matches[0].Groups[1].Value
$elasticPassword | Out-File -FilePath "$es\config\elastic.password" -Encoding utf8
$kibanaPassword | Out-File -FilePath "$kibana\config\kibana.password" -Encoding utf8
11) Remove setting xpack.ssl.key_passphrase from Elasticsearch.yml
12) Restart Elasticsearch
13) Verify Elasticsearch is work (and it is)
14) Install X-Pack in kibana
&"$kibana\bin\kibana-plugin.bat" install x-pack
15) Update Kibana.yml to below
server.name: devws-kibana
server.host: devws-kibana.local
elasticsearch.url: https://node1.local:9210/
elasticsearch.username: kibana
elasticsearch.password: nWD0zPDLFiM3yHdVQM9j
elasticsearch.ssl.certificateAuthorities: ../config/certs/ca.crt
16) Start Kibana
17) Verify Kibana is running and I am able to log in with elastic user
18) Stop Kibana
19) Update Kibana.yml to below
server.name: devws-kibana
server.host: devws-kibana.local
server.ssl.enabled: true
server.ssl.certificate: ../config/certs/devws-kibana.key
server.ssl.key: ../config/certs/devws-kibana.crt
elasticsearch.url: https://node1.local:9210/
elasticsearch.username: kibana
elasticsearch.password: nWD0zPDLFiM3yHdVQM9j
elasticsearch.ssl.certificateAuthorities: ../config/certs/ca.crt
xpack.security.encryptionKey: 3qrb1xee9ue9rrh3p93ykj28otgp676iu0l8ziifjopfov6h4sv9jhyp49gpm90t
20) Try starting kibana. It fails and produces the following error.
FATAL Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:69:17)
at Server (_tls_wrap.js:776:25)
at new Server (https.js:26:14)
at Object.exports.createServer (https.js:47:10)
at new module.exports.internals.Connection (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\node_modules\hapi\lib\connection.js:88:74)
at internals.Server.connection (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\node_modules\hapi\lib\server.js:142:24)
at KbnServer.exports.default (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\http\setup_connection.js:43:10)
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:171:20
at next (native)
at step (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:191)
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:437
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:99
at KbnServer.mixin (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:187:7)
at KbnServer.<anonymous> (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\http\index.js:66:21)
at next (native)
Documentation:
https://www.elastic.co/blog/tls-elastic-stack-elasticsearch-kibana-logstash-filebeat
https://www.elastic.co/guide/en/kibana/6.1/installing-xpack-kb.html
https://www.elastic.co/guide/en/kibana/6.1/security-settings-kb.html
https://www.elastic.co/guide/en/kibana/current/production.html#enabling-ssl
https://www.elastic.co/guide/en/kibana/6.1/using-kibana-with-security.html
https://www.elastic.co/guide/en/kibana/6.1/settings.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.1/certutil.html
devws-kibana.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,17D5A5CA90BECF38
zOhDSJ8OFqB+FGvSmL18k4kIiojvO4yLnAmTYDar51NGAdvitBlGaOEvXzpBAx9j
3nwNVBvz+NCBMg9tOcr8UY9H1/Qgns7gpiWhCJmJlja33Jly97UJS9go6DHvWaJi
OoppKOHOkFaDDnMo6XkyHN2PXagVxFJxO8zW1OgQjMn1dWzUN8jwff/hUmgLT1tx
Arsso/+OKWEwZIJ2rczJjxXjgQmAu+d3libn8tLG9TpDStnj47j/8nxyViIp8Rq0
fFv3XW2QN8oj0Pjo0IBP8FjjGc8+b+zq+kgfvs0Lz65k5GigUcL66nkAgXTADb0S
1Qxo8NVgC4yzc94WrMqSiV99Tlw1kCh1Sb86TJDjYvWMko04wP+kFJrIPs2IxA9D
qxf7YwSZUHfIxg9FdNJHa+jHy+HinX9wOLK6JxZv5jWcZDNThjUW9JxRdvuM1nxD
6K0bUWAa8VlO0MU9x8Hwo7hhT4lJp6sr4jagKkvEqo/ZJWqyQzv5sOMQKu8vXGco
nqjxApjTQGIplf+RrYaPg7URH6GdOW3cIY0d+Hh9i1K/v7UolO2fZjSoCaYmt4YF
BjsMTIpdMnw1GfT0TlRa3bTgRAIqI9lE008fS/XRhjHgKY6wgHbbb7L+mxG05FIa
8rOAClu1btBJXZSELK4JqUgbY+kIPQqB2Ezh1FpggjTboJkdF2cXCazCLDtMSEi3
z95miNGm3rRtS0HNaqrElDQeNbbyo6X9joFKApaxvdICDe9rfdMbhl/tQkYZdyxA
XKeqbPL1dS95ma60A/7B0fIqwrD8Rko8q0EIMClG7bC/C7JRSdd8YEpIV9B1xorc
gYyPiLtoGsihFpF2wpapG0e45wKedtl5QAYbeMWp9JoRPx9ZUuaP4Usn6zdyCqtw
mWUGAHw2F7qQYpdvvUYrKAwC4dVRwivaHz4OoabppY0dYCq1THGvFBmlinbtDFLD
ihKwgnvdACyhWU+e45a53cAtpSwoaPVenFvUJU6MHt+XmxT757blb4Dn9nsHqrwz
HyWo0QoXdgbCwAzzBRW90R6wwYJx2cD+aYxpFop7aeeM/BgQ7IK2ejnykaTk3+NO
hTJ1RgUDvn30jmczvJE0hquzn4SxKVi/hn+YuPxENc2a3CDbj6vsLQRGYMxjnSwT
4POYxc+hgszaE7afh2sKjQHwNboHpeLNuFOXDU22StsIbltWltw+jKzz3sHNE83G
uUJnJPi7LN47WOT2pTNqV+k7/SEFfdo4JVDna54LF8LkrNLl9odmXR3ryTuTdQwP
fAiNXWySIKfEJufVb4g0tv3xDFtJztwZrVvOgCnMnlXw+4BWp7FmN3M+pjDReEdv
1t15tPoDltCfPRva4bZaUXriYSYK5w6PW0t33AR7WbUSKmYlisqInCXwACjBjQJc
nN8epVm33Kaqs18T1PSfkUKiqCKfFRqgleL5W96lG/W8b6qZvglod1qIu3k7qqiy
V6d/jLpe/lASCy1mCtjnNMYTkIlNc5Jyy7FrplXGEm5dWLunMCnCAYX4rfAunynW
1YdB/poa9pXBbUPrF1KxHVNAmV7x5VS4/0eK7LKcUAWs01nH7yiBsXEfs3YfsVMQ
-----END RSA PRIVATE KEY-----
devws-kibana.crt
-----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIUMtq8dgtI+Opfy++z6Ptx8ci2Pr8wDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAxMTRWxhc3RpY3NlYXJjaC1EZXZXUzAeFw0xODAxMzAxOTUz
NTNaFw0yMTAxMjkxOTUzNTNaMBcxFTATBgNVBAMTDGRldndzLWtpYmFuYTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxUb4Mc9PVov9+r6a7V1At1+JL/
CXl81g3tFQNYLzAMj/RJr06HAht8Loh7i7rBvWjleklOZNoKC8LMhbDNU56ix4WK
46yboRknYbjyEYOTjujx6gKoZ72yHugcbF5mc6GoafnyDJf0zL5nNHD8rC61WsFg
hUzJF0qlA9dMojjMMrlrDJDIeKRzhrDj950QBgC9bzLVHQ0sseHmmPQFRQRXXYiP
7/89jfrclgsRaB/H7A2DI5JnZz/HvTQ7UiVOoRXb4TW3NMc1OQbkTg2bjpPMruL6
tVXE/F0xLL4XXSUKbzT95p3vGxRp0jbnce0c8u4USiBEWoJbmYmD/rOouOECAwEA
AaOBqDCBpTAdBgNVHQ4EFgQUpbjtvSNDqoOha32Oculkz4L9c6kwWgYDVR0jBFMw
UYAU3G6UbG/SC9ucNlVGjGZmwk/CQaehIqQgMB4xHDAaBgNVBAMTE0VsYXN0aWNz
ZWFyY2gtRGV2V1OCFQDW6SMoh4MojBt5XyEkdFAA85u/jTAdBgNVHREEFjAUghJk
ZXZ3cy1raWJhbmEubG9jYWwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
Nr0wX2LqbIV8c4/tXaPUA34J8WoWS0HarADrFA+NFee3+/V0Afoun20HI8B8ql6a
5sK+omjDTsHxjjGIitatS/ntmOacJST4MLVeQzSHEfx3ArvozD0LJqnpCifvvUMz
0Gq1fmZHUioz3sHeqw4ZlpEll8MRyvtVj6gDQqzUJcaw9S06/J3VsEJbrRudhSLD
GYgCz1P5jIsZoiEFhinWafgayImcYY3LMNdpRFwIbmwO4Uhs26vgt2zfRVW3vw6r
+5O+DMvjoSe46fZN4uY36rCAEiCoYDC+PB6LSFOGbGswylTTL6F8EorQtjJxOnsn
yFmugwITE4K4iwAQcuCy+g==
-----END CERTIFICATE-----
ca.crt
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIVANbpIyiHgyiMG3lfISR0UADzm7+NMA0GCSqGSIb3DQEB
CwUAMB4xHDAaBgNVBAMTE0VsYXN0aWNzZWFyY2gtRGV2V1MwHhcNMTgwMTMwMTk1
MzQ5WhcNMjEwMTI5MTk1MzQ5WjAeMRwwGgYDVQQDExNFbGFzdGljc2VhcmNoLURl
dldTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArB0kt1hdL0xuCqtw
pO/9wr6xvL9uOy63uHWhEvF8hqW1Kv3w9unZQkJxXlQj3oVbhJTGD6+Bu6RZ8nwl
J7kVjf3EHDvcvwZZElHjmV0zlZ8k3XlJJmKIFeCNAa52YpmReiFerIv+xWV9F4Ae
B77O2pNzfvrJzWroPBVodbF9/N0kxplwSbAJPRGLDvknxW0vX3XiyjvDUPZkmVhm
xc7g0XkTqtjGcYKylz3sfCEnBOSY+3TKePyA62thKlmfMb5iDxGHjraHCcXzPtjh
y3LcD4E3KM57xv1XnHyrKxzJLf0iaJb1xyd4aRGFfckhkqrGvyaS08PRLd3RL+QE
/JsRKQIDAQABo4GPMIGMMB0GA1UdDgQWBBTcbpRsb9IL25w2VUaMZmbCT8JBpzBa
BgNVHSMEUzBRgBTcbpRsb9IL25w2VUaMZmbCT8JBp6EipCAwHjEcMBoGA1UEAxMT
RWxhc3RpY3NlYXJjaC1EZXZXU4IVANbpIyiHgyiMG3lfISR0UADzm7+NMA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIA7S3HbOEKw9kTjxPYlOYoe
kQiKTyZ7rxUAJYSnafnmsjbCMbpVXS9k+THm3IUTQuyxwrGuuBBeKFZJWQ1FcPiF
DVPsgsNO4MRT6r78XjmCJJZcB5FZqbfK7EQd/E4sRzq8bk5VR6wfQK/U5/42TTcw
5RdDYnS4axLQOb9AuSdma7XP6BcshNAFCTp39caP7ZfKLJeRMMv0Mn0/3Yt9I9dv
2MGpxnMOYeVKzYVeoyXXDIOZqdPEkPO6gO7i1MprHcC3XlXFwkbe/EZ4pKUtRTJU
kUgoSTOEd8BO8hwOYhG3HjOqTQe4U6lp2J58Kk47MMs8KUH5Zv47O8baNdHPWVw=
-----END CERTIFICATE-----
Figured out the issue. The server.ssl.certificate and server.ssl.key values were switched.
I am trying to pass a facter argument to puppet apply. Here's what I tried:
export FACTER_command="start"
puppet apply site.pp $FACTER_command
and in my code I have:
exec { 'some_exec':
command => '/bin/bash -c "/some/path/to/scripts.sh -t some_arg $::command"',
...
I get this message error:
Error: '/bin/bash -c "/some/path/to/scripts.sh -t some_arg $::command"' returned 1 instead of one of [0]
Error: /Stage[main]/Standard/Exec[some_exec]/returns: change from 'notrun' to ['0'] failed: '/some/path/to/scripts.sh -t some_arg $::command"' returned 1 instead of one of [0]
Does anyone have any idea about this?
UPDATE
class standard{
$param_test="/some/path/to/scripts.sh -t some_arg ${::command}"
file{'kick_servers':
ensure => 'file',
path => '/some/path/to/scripts.sh',
owner => 'some_user,
group => 'some_user',
mode => '0755',
notify => Exec['some_exec']
}
exec { 'some_exec':
command => '/bin/bash -c ${param_test}',
cwd => "$home_user_dir",
timeout => 1800
}
}
node default {
include standard
}
And I get this error
Error: '/bin/bash -c $param_test' returned 2 instead of one of [0]
Error: /Stage[main]/Standard/Exec[some_exec]/returns: change from 'notrun' to ['0'] failed: '/bin/bash -c $param_test' returned 2 instead of one of [0]
Yes. You have at least two issues you need to fix there:
1/
The immediate cause of your problem is you have enclosed $::command inside single quotes, telling Puppet that you mean the literal string $::command, when you actually want the value of the fact there.
2/
You should not be passing $FACTER_command as an argument to puppet apply; you only need to export it as an environment variable (which you already did).
So:
Change puppet apply to:
puppet apply site.pp
Change your exec to:
exec { 'some_exec':
command => "/bin/bash -c '/some/path/to/scripts.sh -t some_arg ${::command}'",
...
}
I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.
The config like below:
http_poller {
urls => {
restapi => {
method => get
url => "https://path_to_resources
headers => {
Accept => "application/json"
}
truststore => "/path/generated.truststore.jks"
truststore_password => "xxx"
ssl_certificate_validation => false
auth => {
user => "xxx"
password => "xxx"
}
}
}
request_timeout => 60
interval => 60000
codec => "json"
metadata_target => "http_poller_metadata"
}
}
By the way, what impact if ssl_certificate_validation is set as false?
I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.
Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.
Another caveat is that the self signed certificate still has to have a matching host name.
Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html
NB! Further error checking, etc. is left at your discretion.
#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore
usage () {
echo "usage: get-cert.sh <hostname>:<port>"
exit 1
}
TRUSTSTORE=cacert/trust.jks
PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)
[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage
OUTPUT=$(
openssl \
s_client \
-showcerts \
-connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
openssl \
x509 \
-outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }
keytool \
-import \
-storepass changeit \
-alias ${HOSTNAME} \
-noprompt \
-file <(echo "$OUTPUT") \
-keystore ${TRUSTSTORE}
Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).
Apparently your certificate is invalid .
Regarding
ssl_certificate_validation
it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see
I'm using Vagrant and Puppet for the first time in a project and I keep running into an issue.
I've used PuPHPet as a starting point, and I have the following snippet in my default.pp manifest:
class { 'apache': }
apache::dotconf { 'custom':
content => 'EnableSendfile Off',
}
apache::module { 'rewrite': }
apache::vhost { 'awesome.dev':
server_name => 'awesome.dev',
serveraliases => [
],
docroot => '/var/www',
port => '80',
directories => [ { path => '/var/www/', allow => 'from all', allow_override => ['All'] } ],
env_variables => [],
priority => '1',
}
When I run it, I always get the following error:
warning: Could not retrieve fact fqdn
Invalid parameter directories at /tmp/vagrant-puppet/manifests/default.pp:46 on node precise32
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
cd /tmp/vagrant-puppet/manifests && puppet apply --verbose --modulepath '/etc/puppet/modules:/tmp/vagrant-puppet/modules-0' default.pp --detailed-exitcodes || [ $? -eq 2 ]
Line 46 is the end of the apache::vhost rule. I want to set it to allow override using htaccess, but I can't see where I've gone wrong. Can anyone see what the issue is?
PuPHPet uses the Example42 Apache Puppet module, see the README file. This module doesn't have a directories parameter in the vhost resource:
https://github.com/puphpet/puphpet-apache/blob/master/manifests/vhost.pp#L100
Only the Puppet Labs Apache module has a directories parameter, but it's a different module:
https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/vhost.pp#L25
You can however use the directory parameter in Example42's module similarly to the example which can be found in the vhost resource:
# apache::vhost { 'my.other.site':
# docroot => '/path/to/docroot',
# directory => '/path/to',
# directory_allow_override => 'All',
# }