How to generate certificate for a master which is not a CA
I have a situtaiion and not getting proper documentation on it.
I have two master puppet servers in monolithic installation. One of them I want to use as CA, the other simple master [console, db etc should be here].
Now once I have this non-ca master I update /etc/puppetlabs/puppet/puppet.conf as
[main] certname = <non-camasterFQDN> dns_alt_names = <noncamaster alternate dns, based on entry in /etc/hosts file> vardir = /var/opt/lib/pe-puppet logdir = /var/log/pe-puppet rundir = /var/run/pe-puppet basemodulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules server = <non-camasterFQDN> user = pe-puppet group = pe-puppet archive_files = true archive_file_server = <non-camasterFQDN> ca_server = <camasterFQDN> [master] ca = false certname = <non-camasterFQDN> ca_name = 'Puppet CA generated on <non-camasterFQDN> at ...' reports = console,puppetdb node_terminus = console ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY storeconfigs = true storeconfigs_backend = puppetdb [agent] report = true classfile = $vardir/classes.txt localconfig = $vardir/localconfig graph = true pluginsync = true environment = production
Since dutring installation I have certificates already created I try to regenaret the certificates on this non-ca master as described here: https://docs.puppetlabs.com/pe/latest/troubleregeneratecerts_monolithic.html
but when I Try to run
puppet master --no-daemonize --verbose
I get the following error:
Info: Creating a new SSL key for masterpuppet.android.test Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for non-camasterFQDN Info: Certificate Request fingerprint (SHA256): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Notice: Starting Puppet master version 3.6.2 (Puppet Enterprise 3.3.2) Error: Could not run: Could not retrieve certificate for non-camasterFQDN and not running on a valid certificate authority
Can you please let me know what is the way to handle this situation.
Please let me know if you need further clarification.