Ask Your Question
0

How to set multiple Puppet masters with single CA accessed via proxy

asked 2014-10-22 18:20:49 -0500

schowdh gravatar image

Hi Folks,

I am trying to achive something like below:

  1. One Master server acting as CA server. Name it camaster
  2. One Master server acting as console/dashboard/database server, Name it localmaster
  3. One or two agent nodes that speaks to localmaster for packages/modules/manifests, but just gets certificate from camster

BUT, the condition is agent nodes can not directly talk to camaster so certificate requests are to be proxied via localmaster.

I have installed monolithic PE on the two master servers (camaster and localmaster) using web based instller running as root/sudo user.

My understanding is PE already runs on httpd and does not run ob webrick [considering I cans see passenger, httpd are already running. So I do not myself try to install apache2, passenger]. Please correct me if my this basic assumption is wrong. The reason I do not do this I faced issue in opening console earlier I tried. Next, I make change in in /etc/puppetlabs/httpd/conf.d/masterpuppet.conf file to add the following:

SSLProxyEngine On
# Proxy all requests that start with things like /production/certificate to the CA
ProxyPassMatch ^/([^/]+/certificate.*)$ https://camaster.example.com:8140/$1

I also make changes in /opt/puppet/share/puppet-dashboard/config/settings.yml file to make sure caport is 8140 and caserver to camaster.example.com.

In puppet.conf at /etc/puppetlabs/puppet I add ca = false under [master] and ca_server = camaster.example.com under [main]

I do not make any other change in existing entries in [master], and [main].

In the server that I want to be used as CA, I add

path /certificate_revocation_list
auth any
method find
allow *

Anyway, once I run the curl -k... to download and install the tarball on agent node it runs fine (gets installed)

But when I try to run sudo puppet agent -t it throws me:

Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA generated on localmaster.localpuppet.test at 2014-10-22 15:37:08 -0700] Info: Retrieving plugin Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA generated on localmaster.localpuppet.test at 2014-10-22 15:37:08 -0700] Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://localmaster.localpuppet.test/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA generated on localmaster.localpuppet.test at 2014-10-22 15:37:08 -0700] Wrapped exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA generated on localmaster.localpuppet.test at 2014-10-22 15 ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-10-23 08:21:05 -0500

golja gravatar image

Maybe to simplify a problem just create a puppetca virtualhost on your puppetmaster and use the transparent proxy directive to redirect the CA requestst your puppetca server.

On the puppet client define the ca_server to match your puppetca virtualhost.

edit flag offensive delete link more

Comments

Thanks for the suggestion, I'll check that out, though this is something new to me :) !

schowdh gravatar imageschowdh ( 2014-10-23 18:29:41 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-10-22 18:20:49 -0500

Seen: 438 times

Last updated: Oct 23 '14