As announced in my last edit of my yesterday post Puppet and JRuby a love and hate story, I finally managed to run a webrick puppetmaster under JRuby with a MRI client connecting and fetching it’s config.
Unfortunately Puppet creates its first certificate with a serial number of 0, which JRuby-OpenSSL finds invalid (in fact that’s Bouncy Castle JCE Provider). So the first thing is to check if you already have some certificate generated with a serial of 0. If you have none, then everything is great you can skip this.
You can see a certificate content with openssl:
1 2 3 4 5 6 7 8 9 10 11 12 13
If no certificate has a serial of 0, then it’s OK, otherwise I’m afraid you’ll have to start the PKI from scratch (which means rm -rf $vardir/ssl and authenticate clients again), after applying the following Puppet patch:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
I’ll post this patch to puppet-dev soon, so I hope it’ll eventually get merged soon in mainline.
You need the freshest JRuby available at this time. My test were conducted with latest JRuby as of commit “3aadd8a”. The best is to clone the github jruby repository, and build it (it requires of course a JDK and Ant, but that’s pretty much all).
Then install jruby in your path (if you need assistance for this, I’m not sure this blog post is for you :–))
As I explained in my previous blog post about the same subject, Puppet exercises a lot the Ruby OpenSSL subsystem. During this experiment, I found a few shortcomings in the current JRuby-OpenSSL 0.5, including missing methods, or missing behaviors needed by Puppet to run fine.
So to get a fully Puppet enabled JRuby-OpenSSL you need either to get the very latest JRuby-OpenSSL from its own github repository (or checkout the puppet-fixes branch of my fork of said repository on github) and or apply manually the following patches on top of the 0.5 source tarballs:
JRUBY-3689: OpenSSL::X509::CRL can’t be created with PEM content
JRUBY-3690: OpenSSL::X509::Request can’t be created from PEM content
JRUBY-3691: Implement OpenSSL::X509::Request#to_pem
JRUBY-3692: Implement OpenSSL::X509::Store#add_file
JRUBY-3693: OpenSSL::X509::Certificate#check_private_key is not implemented
JRUBY-3556: Webrick doesn’t start in https
JRUBY-3694: Webrick HTTPS produces some SSL stack trace
Then rebuild JRuby-OpenSSL which is a straightforward process (copy build.properties.SAMPLE to build.properties, adjust jruby.jar path, and then issue ant jar to build the jopenssl.jar).
Once done, install the 0.5 JRuby-OpenSSL gem in your jruby install, and copy other the built jar in lib/ruby/gems/1.8/gems/jruby-openssl-0.5/lib.
Let’s try it!
Then it’s time to run your puppetmaster, just start it with jruby instead of ruby. Of course you need the puppet dependencies installed (Facter).
My next try will be to run Puppet on Jruby and mongrel (or what replaces it in JRuby world), then try with storeconfig on…
Hope that helps, and for any question, please post in the puppet-dev list.