autosign icon indicating copy to clipboard operation
autosign copied to clipboard

Published 20 hours ago verified publisher icon danieldreier

Token not saved in journal file

Open sirhopcount opened this issue 6 years ago • 7 comments

Hi, I am trying to use autosign but for some reason I keep getting the Unable to validate token error. Upon checking the journal file it seems the token isn't saved. I installed autosign via the puppet-autosign module.

My configuration looks like this:

---
general:
  loglevel: DEBUG
  logfile: "/var/log/autosign.log"
jwt_token:
  validity: '31556926'
  journalfile: "/var/lib/autosign/autosign.journal"
  secret: suppersecretpassword

When I generate the token:

/opt/puppetlabs/puppet/bin/autosign --debug --config=/etc/autosign.conf generate -r -t 31556926 *.example.com
DEBUG -- Autosign::Config : initializing Autosign::Config
DEBUG -- Autosign::Config : Using merged settings hash: {"config_file"=>"/etc/autosign.conf"}
DEBUG -- Autosign::Config : merging settings
DEBUG -- Autosign::Config : Finding config file
DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"suppersecretpassword"}}
DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"suppersecretpassword"}, "config_file"=>"/etc/autosign.conf"}
DEBUG -- Autosign : validfor: 31556926
DEBUG -- Autosign::Token : initializing Autosign::Token
INFO  -- Autosign : generated token for: *.example.com
Autosign token for: *.example.com, valid until: 2019-04-12 18:10:24 +0000
To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:

custom_attributes:
  challengePassword: "ey.....sAte4yBFyQ"

But when I check the journal (/var/lib/autosign/autosign.journal) it's empty. Am I doing something wrong?

sirhopcount avatar Apr 12 '18 12:04 sirhopcount

What are the permissions on /var/lib/autosign/autosign.journal? Is it writable by the user puppet or puppet enterprise is running as?

danieldreier avatar Apr 12 '18 17:04 danieldreier

The permissions are:

ls -alh /var/lib/autosign/autosign.journal
-rw-r----- 1 puppet puppet 0 Apr 13 12:55 /var/lib/autosign/autosign.journal

And the user puppet can access the file

puppet@puppetmaster:/$ echo "test" > /var/lib/autosign/autosign.journal
puppet@puppetmaster:/$ cat /var/lib/autosign/autosign.journal
test
puppet@puppetmaster:/$ id
uid=999(puppet) gid=999(puppet) groups=999(puppet)

sirhopcount avatar Apr 13 '18 13:04 sirhopcount

@sirhopcount that definitely looks correct. Tokens only get recorded in the journal after a successful validation, to prevent them from being re-used. Tokens aren't recorded upon generation; they're cryptographically signed to prevent forgery, and cryptographic validation instead of recording them is how they're validated. If you're checking the journal after generating a token, you should not expect to find anything in the journal. You should only expect to find a journal entry after a non-reusable token has been successfully validated.

Can you share log output from a failed validation attempt?

danieldreier avatar Apr 13 '18 18:04 danieldreier

Here are the logs, I changed the domain to example.local in the meantime but the rest of the configuration is still the same.

2018-04-16T08:24:20.734608 DEBUG -- Autosign : certname is dev.example.local
2018-04-16T08:24:20.734814 DEBUG -- Autosign : reading CSR from stdin
2018-04-16T08:24:20.735322 DEBUG -- Autosign : CSR: {:challenge_password=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcIiouZXhhbXBsZS5sb2NhbFwiLFwicmVxdWVzdGVyXCI6XCJwdXBwZXRtYXN0ZXJcIixcInJldXNhYmxlXCI6dHJ1ZSxcInZhbGlkZm9yXCI6MzE1NTY5MjYsXCJ1dWlkXCI6XCJjMjIzMWI3Ni02MGE5LTQzZDctODk0YS0wNjEwOGE1MzI0NzFcIn0iLCJleHAiOiIxNTU1NDIzOTE5In0._5KU-1HxyCHLQK-Sfui302niVnp5WGPhfwq7ebELgWOsPXv2a_rKmLMGAKmuuDsy4LicxW6wFTjVszD8_KiBIQ", :common_name=>"dev.example.local"}
2018-04-16T08:24:20.736494 DEBUG -- Autosign::Validators::Passwordlist : starting autosign validator: password_list
2018-04-16T08:24:20.736591 DEBUG -- Autosign::Validators::Passwordlist : merging settings
2018-04-16T08:24:20.736689 DEBUG -- Autosign::Validators::Passwordlist : loading validator-specific configuration
2018-04-16T08:24:20.736752 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.736803 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.736843 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.736897 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.736937 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.736978 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.737018 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.737070 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.737266 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.737398 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.737465 WARN  -- Autosign::Validators::Passwordlist : Unable to load validator-specific configuration
2018-04-16T08:24:20.737509 WARN  -- Autosign::Validators::Passwordlist : Cannot load configuration section named 'password_list'
2018-04-16T08:24:20.737573 DEBUG -- Autosign::Validators::Passwordlist : using merged settings: {}
2018-04-16T08:24:20.737625 DEBUG -- Autosign::Validators::Passwordlist : validating merged settings
2018-04-16T08:24:20.737675 DEBUG -- Autosign::Validators::Passwordlist : validating settings: {}
2018-04-16T08:24:20.737714 DEBUG -- Autosign::Validators::Passwordlist : successfully validated merged settings
2018-04-16T08:24:20.737776 DEBUG -- Autosign::Validators::Passwordlist : running validate
2018-04-16T08:24:20.737827 DEBUG -- Autosign::Validators::Passwordlist : validating against simple password list
2018-04-16T08:24:20.737866 DEBUG -- Autosign::Validators::Passwordlist : merging settings
2018-04-16T08:24:20.737902 DEBUG -- Autosign::Validators::Passwordlist : loading validator-specific configuration
2018-04-16T08:24:20.737957 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.738002 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.738039 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.738088 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.738125 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.738164 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.738212 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.738252 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.738442 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.738562 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.738615 WARN  -- Autosign::Validators::Passwordlist : Unable to load validator-specific configuration
2018-04-16T08:24:20.738668 WARN  -- Autosign::Validators::Passwordlist : Cannot load configuration section named 'password_list'
2018-04-16T08:24:20.738729 DEBUG -- Autosign::Validators::Passwordlist : using merged settings: {}
2018-04-16T08:24:20.738779 DEBUG -- Autosign::Validators::Passwordlist : validating merged settings
2018-04-16T08:24:20.738829 DEBUG -- Autosign::Validators::Passwordlist : validating settings: {}
2018-04-16T08:24:20.738878 DEBUG -- Autosign::Validators::Passwordlist : successfully validated merged settings
2018-04-16T08:24:20.738926 DEBUG -- Autosign::Validators::Passwordlist : passwords: {}
2018-04-16T08:24:20.738997 DEBUG -- Autosign::Validators::Passwordlist : Checking if password list includes password
2018-04-16T08:24:20.739051 DEBUG -- Autosign::Validators::Passwordlist : merging settings
2018-04-16T08:24:20.739101 DEBUG -- Autosign::Validators::Passwordlist : loading validator-specific configuration
2018-04-16T08:24:20.739146 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.739196 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.739245 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.739296 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.739344 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.739384 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.739435 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.739473 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.739636 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.739742 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.739813 WARN  -- Autosign::Validators::Passwordlist : Unable to load validator-specific configuration
2018-04-16T08:24:20.739878 WARN  -- Autosign::Validators::Passwordlist : Cannot load configuration section named 'password_list'
2018-04-16T08:24:20.739932 DEBUG -- Autosign::Validators::Passwordlist : using merged settings: {}
2018-04-16T08:24:20.739982 DEBUG -- Autosign::Validators::Passwordlist : validating merged settings
2018-04-16T08:24:20.740020 DEBUG -- Autosign::Validators::Passwordlist : validating settings: {}
2018-04-16T08:24:20.740066 DEBUG -- Autosign::Validators::Passwordlist : successfully validated merged settings
2018-04-16T08:24:20.740109 DEBUG -- Autosign::Validators::Passwordlist : validation result: false
2018-04-16T08:24:20.740146 DEBUG -- Autosign::Validators::Passwordlist : validation failed
2018-04-16T08:24:20.740185 DEBUG -- Autosign::Validators::Passwordlist : Unable to validate 'dev.example.local' using 'password_list' validator
2018-04-16T08:24:20.741171 DEBUG -- Autosign::Validators::Multiplexer : starting autosign validator: multiplexer
2018-04-16T08:24:20.741259 DEBUG -- Autosign::Validators::Multiplexer : merging settings
2018-04-16T08:24:20.741319 DEBUG -- Autosign::Validators::Multiplexer : loading validator-specific configuration
2018-04-16T08:24:20.741379 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.741426 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.741477 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.741537 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.741600 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.741641 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.741692 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.741733 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.741965 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.742097 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.742162 WARN  -- Autosign::Validators::Multiplexer : Unable to load validator-specific configuration
2018-04-16T08:24:20.742218 WARN  -- Autosign::Validators::Multiplexer : Cannot load configuration section named 'multiplexer'
2018-04-16T08:24:20.742286 DEBUG -- Autosign::Validators::Multiplexer : using merged settings: {"strategy"=>"any"}
2018-04-16T08:24:20.742342 DEBUG -- Autosign::Validators::Multiplexer : validating merged settings
2018-04-16T08:24:20.742385 DEBUG -- Autosign::Validators::Multiplexer : validating settings: {"strategy"=>"any"}
2018-04-16T08:24:20.742425 DEBUG -- Autosign::Validators::Multiplexer : done validating settings
2018-04-16T08:24:20.742484 DEBUG -- Autosign::Validators::Multiplexer : successfully validated merged settings
2018-04-16T08:24:20.742548 DEBUG -- Autosign::Validators::Multiplexer : running validate
2018-04-16T08:24:20.742587 DEBUG -- Autosign::Validators::Multiplexer : validating using multiplexed external executables
2018-04-16T08:24:20.742625 DEBUG -- Autosign::Validators::Multiplexer : merging settings
2018-04-16T08:24:20.742673 DEBUG -- Autosign::Validators::Multiplexer : loading validator-specific configuration
2018-04-16T08:24:20.742728 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.742790 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.742836 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.742875 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.742922 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.742997 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.743046 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.743097 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.743304 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.743439 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.743504 WARN  -- Autosign::Validators::Multiplexer : Unable to load validator-specific configuration
2018-04-16T08:24:20.743560 WARN  -- Autosign::Validators::Multiplexer : Cannot load configuration section named 'multiplexer'
2018-04-16T08:24:20.743631 DEBUG -- Autosign::Validators::Multiplexer : using merged settings: {"strategy"=>"any"}
2018-04-16T08:24:20.743686 DEBUG -- Autosign::Validators::Multiplexer : validating merged settings
2018-04-16T08:24:20.743731 DEBUG -- Autosign::Validators::Multiplexer : validating settings: {"strategy"=>"any"}
2018-04-16T08:24:20.743795 DEBUG -- Autosign::Validators::Multiplexer : done validating settings
2018-04-16T08:24:20.743844 DEBUG -- Autosign::Validators::Multiplexer : successfully validated merged settings
2018-04-16T08:24:20.743886 DEBUG -- Autosign::Validators::Multiplexer : merging settings
2018-04-16T08:24:20.743937 DEBUG -- Autosign::Validators::Multiplexer : loading validator-specific configuration
2018-04-16T08:24:20.743995 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.744040 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.744095 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.744138 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.744176 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.744229 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.744291 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.744330 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.744519 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.744659 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.744731 WARN  -- Autosign::Validators::Multiplexer : Unable to load validator-specific configuration
2018-04-16T08:24:20.744787 WARN  -- Autosign::Validators::Multiplexer : Cannot load configuration section named 'multiplexer'
2018-04-16T08:24:20.744846 DEBUG -- Autosign::Validators::Multiplexer : using merged settings: {"strategy"=>"any"}
2018-04-16T08:24:20.744903 DEBUG -- Autosign::Validators::Multiplexer : validating merged settings
2018-04-16T08:24:20.744956 DEBUG -- Autosign::Validators::Multiplexer : validating settings: {"strategy"=>"any"}
2018-04-16T08:24:20.744996 DEBUG -- Autosign::Validators::Multiplexer : done validating settings
2018-04-16T08:24:20.745061 DEBUG -- Autosign::Validators::Multiplexer : successfully validated merged settings
2018-04-16T08:24:20.745101 DEBUG -- Autosign::Validators::Multiplexer : validating using 'any' strategy
2018-04-16T08:24:20.745150 DEBUG -- Autosign::Validators::Multiplexer : validation failed
2018-04-16T08:24:20.745226 DEBUG -- Autosign::Validators::Multiplexer : Unable to validate 'dev.example.local' using 'multiplexer' validator
2018-04-16T08:24:20.745568 DEBUG -- Autosign::Validators::JWT : starting autosign validator: jwt_token
2018-04-16T08:24:20.745637 DEBUG -- Autosign::Validators::JWT : merging settings
2018-04-16T08:24:20.745707 DEBUG -- Autosign::Validators::JWT : loading validator-specific configuration
2018-04-16T08:24:20.745777 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.745826 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.745876 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.745933 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.745974 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.746014 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.746062 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.746114 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.746320 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.746459 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.746511 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.746565 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.746623 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.746676 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.746716 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.746771 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.747054 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.747200 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.747270 DEBUG -- Autosign::Validators::JWT : Set validator-specific settings from config file: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.747335 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.747392 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.747432 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.747488 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.747545 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.747591 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.747801 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.747948 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.748045 DEBUG -- Autosign::Validators::JWT : using merged settings: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.748118 DEBUG -- Autosign::Validators::JWT : validating merged settings
2018-04-16T08:24:20.748170 DEBUG -- Autosign::Validators::JWT : validating settings: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.748230 INFO  -- Autosign::Validators::JWT : validated settings successfully
2018-04-16T08:24:20.748292 DEBUG -- Autosign::Validators::JWT : successfully validated merged settings
2018-04-16T08:24:20.748366 DEBUG -- Autosign::Validators::JWT : running validate
2018-04-16T08:24:20.748421 INFO  -- Autosign::Validators::JWT : attempting to validate JWT token
2018-04-16T08:24:20.748462 DEBUG -- Autosign::Validators::JWT : merging settings
2018-04-16T08:24:20.748514 DEBUG -- Autosign::Validators::JWT : loading validator-specific configuration
2018-04-16T08:24:20.748571 DEBUG -- Autosign::Config : initializing Autosign::Config
2018-04-16T08:24:20.748685 DEBUG -- Autosign::Config : Using merged settings hash: {}
2018-04-16T08:24:20.748726 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.748765 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.748825 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.748892 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.748933 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.748982 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.749213 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.749335 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.749383 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.749464 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.749507 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.749548 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.749596 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.749659 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.749848 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.749970 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.750030 DEBUG -- Autosign::Validators::JWT : Set validator-specific settings from config file: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.750070 DEBUG -- Autosign::Config : merging settings
2018-04-16T08:24:20.750130 DEBUG -- Autosign::Config : Finding config file
2018-04-16T08:24:20.750186 DEBUG -- Autosign::Config : Checking if file '/etc/puppetlabs/puppetserver/autosign.conf' exists
2018-04-16T08:24:20.750241 DEBUG -- Autosign::Config : Configuration file '/etc/puppetlabs/puppetserver/autosign.conf' not found
2018-04-16T08:24:20.750280 DEBUG -- Autosign::Config : Checking if file '/etc/autosign.conf' exists
2018-04-16T08:24:20.750329 DEBUG -- Autosign::Config : Reading config file from: /etc/autosign.conf
2018-04-16T08:24:20.750489 DEBUG -- Autosign::Config : configuration read from config file: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.750635 DEBUG -- Autosign::Config : using merged settings: {"general"=>{"loglevel"=>"DEBUG", "logfile"=>"/var/log/autosign.log"}, "jwt_token"=>{"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}}
2018-04-16T08:24:20.750732 DEBUG -- Autosign::Validators::JWT : using merged settings: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.750800 DEBUG -- Autosign::Validators::JWT : validating merged settings
2018-04-16T08:24:20.750845 DEBUG -- Autosign::Validators::JWT : validating settings: {"validity"=>"31556926", "journalfile"=>"/var/lib/autosign/autosign.journal", "secret"=>"supersecretpassword"}
2018-04-16T08:24:20.750886 INFO  -- Autosign::Validators::JWT : validated settings successfully
2018-04-16T08:24:20.750937 DEBUG -- Autosign::Validators::JWT : successfully validated merged settings
2018-04-16T08:24:20.751253 DEBUG -- Autosign::Validators::JWT : validation failed
2018-04-16T08:24:20.751319 DEBUG -- Autosign::Validators::JWT : Unable to validate 'dev.example.local' using 'jwt_token' validator
2018-04-16T08:24:20.751422 ERROR -- Autosign : Unable to validate token

sirhopcount avatar Apr 16 '18 08:04 sirhopcount

Can you also post your autosign.conf and the /etc/puppet/csr_attributes.yaml file on the node you're trying to set up?

danieldreier avatar Apr 16 '18 16:04 danieldreier

/etc/autosign.conf

# autosign configuration is managed by Puppet
# manual modifications to this file will be overrwitten
---
general:
  loglevel: DEBUG
  logfile: "/var/log/autosign.log"
jwt_token:
  validity: '31556926'
  journalfile: "/var/lib/autosign/autosign.journal"
  secret: supersecretpassword

/etc/puppetlabs/puppet/csr_attributes.yaml

---
custom_attributes:
  challengePassword: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcIiouZXhhbXBsZS5sb2NhbFwiLFwicmVxdWVzdGVyXCI6XCJwdXBwZXRtYXN0ZXJcIixcInJldXNhYmxlXCI6dHJ1ZSxcInZhbGlkZm9yXCI6MzE1NTY5MjYsXCJ1dWlkXCI6XCJjMjIzMWI3Ni02MGE5LTQzZDctODk0YS0wNjEwOGE1MzI0NzFcIn0iLCJleHAiOiIxNTU1NDIzOTE5In0._5KU-1HxyCHLQK-Sfui302niVnp5WGPhfwq7ebELgWOsPXv2a_rKmLMGAKmuuDsy4LicxW6wFTjVszD8_KiBIQ"

By the way, I am testing this in a small Vagrant environment, if you want I can create a public repo of it.

sirhopcount avatar Apr 17 '18 06:04 sirhopcount

I created a repository containing my current test setup in case you want to inspect it:

https://github.com/sirhopcount/vagrant-puppet-autosign

sirhopcount avatar Apr 17 '18 12:04 sirhopcount