Ask Your Question

How to generate certificate for a master which is not a CA

asked 2014-10-24 17:51:19 -0600

schowdh gravatar image

Hi Folks,

I have a situtaiion and not getting proper documentation on it.

I have two master puppet servers in monolithic installation. One of them I want to use as CA, the other simple master [console, db etc should be here].

Now once I have this non-ca master I update /etc/puppetlabs/puppet/puppet.conf as

    certname = <non-camasterFQDN>
    dns_alt_names = <noncamaster alternate dns, based on entry in /etc/hosts file>
    vardir = /var/opt/lib/pe-puppet
    logdir = /var/log/pe-puppet
    rundir = /var/run/pe-puppet
    basemodulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules
    server = <non-camasterFQDN>
    user  = pe-puppet
    group = pe-puppet
    archive_files = true
    archive_file_server = <non-camasterFQDN>
    ca_server = <camasterFQDN>
    ca = false
    certname = <non-camasterFQDN>
    ca_name = 'Puppet CA generated on <non-camasterFQDN> at ...'
    reports = console,puppetdb
    node_terminus = console
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY
    storeconfigs = true
    storeconfigs_backend = puppetdb

    report = true
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    graph = true
    pluginsync = true
    environment = production

Since dutring installation I have certificates already created I try to regenaret the certificates on this non-ca master as described here:

but when I Try to run

puppet master --no-daemonize --verbose

I get the following error:

Info: Creating a new SSL key for
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for non-camasterFQDN
Info: Certificate Request fingerprint (SHA256): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Notice: Starting Puppet master version 3.6.2 (Puppet Enterprise 3.3.2)
Error: Could not run: Could not retrieve certificate for non-camasterFQDN and not running on a valid certificate authority

Can you please let me know what is the way to handle this situation.

Please let me know if you need further clarification.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-10-25 22:32:57 -0600

cbarbour gravatar image

Unlike the Agent, the Master does not automatically submit a CSR to the CA when it requires a signed cert.

First of all, kudos for generating a separate master cert. While you can use the same cert for the agent and the master, using separate certificates is best practices.

The most direct way to generate a CSR for your master is via the cert command.

puppet certificate generate --dns-alt-names 'puppet,puppet.<DN>' --ca-location remote <non-camasterFQDN>

The puppet certificate command is documented here:

The DNS alt names are not strictly speaking required, but they are handy if you have any DNS aliases for your server, and necessary if clients might find the server using a DNS suffix search.

You might also have to specify the --ca-server='<camasterFQDN>' argument.

Remember that to sign this cert on the CA, you'll need to supply the --allow-dns-alt-names argument to the puppet cert sign command.

If you want to automate the configuration of your Puppet Masters, I believe PE includes a native resource type for generating CSRs. I'm not sure if it's published to the forge at this time.

edit flag offensive delete link more


Hi cbarbour, Thanks for your comments. I tried this out but did not work. I kept on getting same error. But one observation and quite frustrating, suddenly the ProxyPassMatch started popping up as unknown command. This command was working file all along.

schowdh gravatar imageschowdh ( 2014-10-27 18:39:28 -0600 )edit

I am using Puppet Enterprise, so I do not need installing apache2 and mod_proxy etc installed separately. pe-httpd should take care of it. but pe-httpd restart failing saying ProxyPassMatch is invalid. Any idea what is causing the issue? I am anyway still trying debug the main problem.

schowdh gravatar imageschowdh ( 2014-10-27 18:41:54 -0600 )edit

Unfortunately, I don't know exactly what would cause the ProxyPassMatch problem. For the main certificate issue, are you sure you have the signed cert, the public, and the private key on the non-ca master. Is it possible that the CA never sent the cert back to the non-ca master?

cbarbour gravatar imagecbarbour ( 2014-10-29 23:33:46 -0600 )edit

Thank you! I have anyway now got a solution to resolve ProxyPassMatch issue. The proxy was not enabled so one needs to run /opt/puppet/sbin/a2enmod proxy to enable it for PE-Puppet.

schowdh gravatar imageschowdh ( 2014-10-30 13:31:45 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-10-24 17:51:19 -0600

Seen: 2,160 times

Last updated: Oct 25 '14