Ask Your Question
1

How to setup multiple puppet masters with a single CA?

asked 2015-02-13 09:51:07 -0500

djc72uk gravatar image

Hi,

I have spent days now endlessly searching the web for answers to this question that I've not yet been able to find a success story for.

Some of the documentation I've been referencing among others:

https://docs.puppetlabs.com/guides/pa... https://docs.puppetlabs.com/guides/sc...multiple masters.html https://docs.puppetlabs.com/puppet/la...filemain.html

How to setup multiple puppet masters with a single CA?

The puppetlab documentation explains this as very simple procedure but I suspect that short cuts have been made and some assumptions taken into account. Either that or I've completely got the wrong end of the stick! For example. It states that before running any puppet agent and/or master associated commands on the non-CA puppet master, the following changes need be made:

In puppet.conf, do the following:
  Set ca to false in the [master] config block.
  If you’re using the individual agent configuration method of CA centralization:
  Set ca_server to the hostname of your CA server in the [main] config block.

In my experiences so far, this is where the problems start to occur. Once I've made the recommended changes to the non-CA, creating a certificate fails with the following error:

Error: Could not run: Could not retrieve certificate for <hostname.FQDN> and not running on a valid certificate authority

NOTE: I used puppet master --no-daemonize --verbose to generate a new certificate on the non-CA master.

The only way I was able to successful generate a new certificate on the non-CA puppet master was to comment out the changes I made in puppet.conf i.e. ca = false.

In an attempt to get around the issue, I left the recommended changes within puppet.conf commented out then re-attempted certificate generation with the same command above. This was successful. I then uncommitted the changes accordingly in order to reflect a recommended configuration and restarted Apache/Passenger.

Then from an agent, I initially removed any existing certificates prior to attempting an initial puppet agent run. I then attempted to request for a certificate via the non-CA master. This completed successfully without any issues and I was subsequently able to sign the certificate request on the puppet master (not the non-CA). I then repeated the puppet agent command to apply the associated modules etc. This however failed with the following:

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer  certificate for /CN=<hostname-of-non-CA.FQDN]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://<hostname-of-non-CA>/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=<hostname-of-non-CA.FQDN]

I understand (from what I've read anyway) that is associated with a certificate mismatch but I'm confused as to how this could be case. Everything within ... (more)

edit retag flag offensive close merge delete

4 Answers

Sort by » oldest newest most voted
1

answered 2015-02-14 18:10:24 -0500

camlow325 gravatar image

updated 2015-02-16 13:49:19 -0500

Above, you wrote:

Once I've made the recommended changes to the non-CA, creating a certificate fails with the following error:

Error: Could not run: Could not retrieve certificate for [hostname.FQDN] and not running on a valid certificate authority

NOTE: I used puppet master --no-daemonize --verbose to generate a new certificate on the non-CA master.

The error message that you saw is what I would expect to see if you were starting up the non-CA master with "ca = false" and no certificate had previously been generated for the non-CA master. non-CA masters, unfortunately, do not have logic built into them to automatically request a certificate from the ca_server like agents do.

Did you follow these steps from the scaling multiple masters page?

Request a new certificate by running "puppet agent --test --waitforcert 10".

Log into the CA server and run "puppet cert sign [your master's hostname.FQDN]".

In case that wasn't clear, the "puppet agent" step would need to be run from a command shell on the non-CA master node. I'd also suggest running this command with the non-CA master service not running.

If these steps were successful, I would expect your non-CA master to find the [hostname.FQDN] certificate during its next startup and, therefore, not encounter the "Could not run" error. When you run an agent later against that non-CA master, then, I would also expect the agent to be able to successfully validate the certificate of the non-CA master - as the non-CA master's certificate would have been issued by the same CA as the agents use to get their own certificate.

You should not have "ca = true" in the non-CA master's puppet.conf as that would cause the non-CA master to generate its own CA certificate and server certificate rather than using the separate CA that you are intending to have issue the non-CA master certificate.

You'll probably need to clear out the ssldir on the non-CA master before trying these steps again so that the non-CA master isn't holding on to the certificate that it issued to itself during its previous "ca = true" run. The "sudo rm -r $(puppet master --configprint ssldir)" command recommended by the scaling multiple masters page should work for this.

edit flag offensive delete link more
0

answered 2016-03-11 11:09:30 -0500

tehmasp gravatar image

very helpful

edit flag offensive delete link more
0

answered 2016-03-13 09:54:21 -0500

tehmasp gravatar image

I've followed the scaling PM guide and I'm pretty sure that I've followed it correctly. My setup is Puppet 4.x using DNS SRV records. Can someone verify if the scaling PM guide actually works w/ the latest Puppet Server 4.x installation?

I'm still getting SSL issues from a Puppet agent node when it tries to connect to my 2nd (non-CA) Puppet Server via SRV records. If I shut down this 2nd server so that it is NOT running and the Puppet agent node must connect to the 1st CA Puppet Server - Puppet agent catalogs work fine and I do not get any errors in the logs.

Tehmasp

edit flag offensive delete link more
0

answered 2016-11-02 17:57:54 -0500

AA-nut gravatar image

Is there a simple step by step guide to set up Puppet with Multiple Masters with Open Source? Any help is appreciated.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2015-02-13 09:51:07 -0500

Seen: 2,528 times

Last updated: Mar 13 '16