Centralizing Puppetserver CA
Centralizing Puppetserver CA
I've been attempting to create a second puppetserver instance, using my existing puppetserver as a centralized CA. After spending a full day failing to get it to work, I'm close to pulling my hair out. I've been following doc - https://docs.puppet.com/guides/scalingmultiplemasters.html#centralize-the-certificate-authority (Option 1: Direct agent nodes to the CA Master, Method A: Individual Agent Configuration, Create New Puppet Master Servers)
puppetserver version: 1.1.3 os: ubuntu 12.04.5 lts
I have an existing puppetserver that is working without issues. I intend to create a new puppetserver at our office to generate catalogues for our internal hosts.
These are my configs:
[main] ca_server = puppet-ca [master] certname = puppet server = puppet environmentpath = $confdir/environments basemodulepath = $confdir/modules:/usr/share/puppet/modules environment_timeout = 30s pluginsync = false storeconfigs = true storeconfigs_backend = puppetdb # Passenger ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY reports = store, puppetdb reportfrom = firstname.lastname@example.org [agent] certname = node1.mydomain.com server = puppet pluginsync = false runinterval = 25m
[main] ca_server = puppet-ca [master] certname = puppet-office server = puppet-office environmentpath = $confdir/environments basemodulepath = $confdir/modules:/usr/share/puppet/modules environment_timeout = 30s pluginsync = false ca = false # Passenger ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY reports = store reportfrom = email@example.com [agent] certname = serv.office.mydomain.com server = puppet-office pluginsync = false runinterval = 25m
These are the steps I've taken
-The main puppetserver/ca is running in a good state, servicing puppet agents -The new puppetserver is not running, the /etc/puppet directory only contains environments, modules, puppet.conf
-Run the puppet agent on puppet-office and sign the request on puppet-ca:
puppet agent --test --waitforcert 10 Info: Creating a new SSL key for serv.office.mydomain.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for serv.office.mydomain.com Info: Certificate Request fingerprint (SHA256): 32:31:1D:0F:6A:AF:DA:03:B3:15:D4:8A:91:9C:98:3E:B8:D7:FC:01:D9:C7:DE:06:03:39:EC:A2:5B:D0:37:13 Info: Caching certificate for ca Info: Caching certificate for serv.office.mydomain.com Info: Caching certificate_revocation_list for ca Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Connection refused - connect(2) Info: Loading facts Error: Could not retrieve catalog from remote server: Connection refused - connect(2) Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: Connection refused - connect(2)
puppet cert sign "serv.office.mydomain.com" Notice: Signed certificate request for serv.office.mydomain.com Notice: Removing file Puppet::SSL::CertificateRequest serv.office.mydomain.com at '/etc/puppet/ssl/ca/requests/serv.office.mydomain.com.pem'
-I start puppetserver on puppet-office
service puppetserver start
-Puppet agent run on puppet-office
Warning: Unable to fetch my ...