Proxy CA requests with jetty Puppetserver

asked 2016-03-22 14:12:32 -0500

afraley gravatar image

When puppetserver used Apache, you could easily setup compile masters to proxy the CA requests back to the CA server with mod proxy. Now that puppetserver uses jetty, is it possible to proxy requests to the CA server so that clients don't need the ca_server setting? I have some clients that cannot reach the CA server but they can reach their compile master, and the compile master can reach the CA/MoM.

I'm using Puppetserver 2.3.

edit retag flag offensive close merge delete


This may not help for your case, but the Puppet Server in Puppet Enterprise has a built-in capability to proxy incoming CA requests to the Jetty server over to another server. The 'enable_ca_proxy' parameter in the puppet_enterprise::profile::master class controls this.

camlow325 gravatar imagecamlow325 ( 2016-04-04 10:39:04 -0500 )edit

I'm not aware of anything similar, however, which is built in for the Jetty web server stack in open-source Puppet Server.

camlow325 gravatar imagecamlow325 ( 2016-04-04 10:40:05 -0500 )edit

sleepingkangaroo gravatar imagesleepingkangaroo ( 2016-09-07 14:39:40 -0500 )edit

@sleepingkangaroo - Thank you so much for that, for Puppetserver 2.4 I had to also uncomment se-legacy-auth-conf: false in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf. Not happy with the insecurity of this though, will probably ask our networks guys to open another port for direct CA.

pckls gravatar imagepckls ( 2016-09-21 02:15:14 -0500 )edit