puppetdb dashboard has some performance monitoring built in. To access it via localhost is easy. No auth. To access it remotely via SSL, you have to generate a client cert for your browser, configure jetty to accept the puppet master CA cert, and add your client cert to a list of allowed certs. Here’s all the steps I needed to make this work on CentOS 6.4 (server) and Mac OSX 10.7 with Firefox 23.0.1.
[root@puppetmaster ssl]# puppet cert generate esakowski Notice: esakowski has a waiting certificate request Notice: Signed certificate request for esakowski Notice: Removing file Puppet::SSL::CertificateRequest esakowski at '/etc/puppetlabs/puppet/ssl/ca/requests/esakowski.pem' Notice: Removing file Puppet::SSL::CertificateRequest esakowski at '/etc/puppetlabs/puppet/ssl/certificate_requests/esakowski.pem' Notice: Notice: You have 3 active and no inactive nodes. Notice: You are currently licensed for 10 active nodes. Notice: Notice: This Puppet Enterprise distribution is licensed to: Notice: N/A You are using a complimentary ten node license provided free by Puppet Labs. Notice: Notice: Your complimentary license does not include Support & Maintenance. If you Notice: would like to obtain official Support & Maintenance, please contact us Notice: for pricing, and to find out about volume discounts. [root@puppetmaster ssl]# find . -name 'esakowski\.*' ./public_keys/esakowski.pem ./private_keys/esakowski.pem ./ca/signed/esakowski.pem ./certs/esakowski.pem [root@puppetmaster ssl]#
Next you have to smash all these keys into a pkcs12 format (enter nothing for the password):
[root@puppetmaster ssl]# cd /tmp [root@puppetmaster tmp]# openssl pkcs12 -export -out esakowski.pfx -inkey /etc/puppetlabs/puppet/ssl/private_keys/esakowski.pem -in /etc/puppetlabs/puppet/ssl/ca/signed/esakowski.pem -certfile /etc/puppetlabs/puppet/ssl/certs/ca.pem Enter Export Password: Verifying - Enter Export Password: [root@puppetmaster tmp]# [root@puppetmaster tmp]# file esakowski.pfx esakowski.pfx: data [root@puppetmaster tmp]#
Download this .pfx file somewhere on your workstation filesystem so you can add it to FF.
To add it to your firefox keys, go to Preferences -> Advanced -> View Certificates -> Import
and select the appropriate file. Here again, you enter nothing for the password.
You have to tell jetty to trust the puppetmaster ca cert. Edit /etc/puppetlabs/puppetdb/conf.d/jetty.ini to add:
If you try to hit https://puppetmaster:8081 right now, it should let you connect, but it will tell you “You shall not pass!” — this is because your cert is trusted but it’s not yet in the whitelist of certs that are allowed to see statistics from the puppetdb dashboard. Edit the whitelist to add the name of your cert (whatever name you passed to puppet cert generate):
[root@puppetmaster conf.d]# cat /etc/puppetlabs/puppetdb/certificate-whitelist pe-internal-dashboard puppetmaster esakowski [root@puppetmaster conf.d]#
[root@puppetmaster conf.d]# service pe-puppetdb restart Stopping pe-puppetdb: [ OK ] Starting pe-puppetdb: [ OK ] [root@puppetmaster conf.d]#
Now go to https://puppetmaster.foo.com:8081/ You should see something like the screengrab below. If not, check the contents of /var/log/pe-puppetdb/*.log