Centralizing Puppetserver CA

asked 2016-05-24 19:20:29 -0500

Confused_Panda gravatar image

Centralizing Puppetserver CA

I've been attempting to create a second puppetserver instance, using my existing puppetserver as a centralized CA. After spending a full day failing to get it to work, I'm close to pulling my hair out. I've been following doc - https://docs.puppet.com/guides/scalingmultiplemasters.html#centralize-the-certificate-authority (Option 1: Direct agent nodes to the CA Master, Method A: Individual Agent Configuration, Create New Puppet Master Servers)

puppetserver version: 1.1.3 os: ubuntu 12.04.5 lts

I have an existing puppetserver that is working without issues. I intend to create a new puppetserver at our office to generate catalogues for our internal hosts.

existing puppetserver hostnames: puppet, puppet-ca (sits on node1.mydomain.com) new puppetserver hostnames: puppet-office (sits on serv.office.mydomain.com)

These are my configs:

/etc/puppet/puppet.conf (puppet):

[main]
   ca_server = puppet-ca
[master]
   certname            = puppet
   server              = puppet
   environmentpath     = $confdir/environments
   basemodulepath      = $confdir/modules:/usr/share/puppet/modules
   environment_timeout = 30s
   pluginsync          = false
   storeconfigs = true
   storeconfigs_backend = puppetdb

   # Passenger
   ssl_client_header        = SSL_CLIENT_S_DN
   ssl_client_verify_header = SSL_CLIENT_VERIFY

   reports     = store, puppetdb
   reportfrom  = puppet@mydomain.com
[agent]
   certname    = node1.mydomain.com
   server          = puppet
   pluginsync  = false
   runinterval = 25m

/etc/puppet/puppet/conf (puppet-office):

[main]
   ca_server = puppet-ca
[master]
   certname            = puppet-office
   server              = puppet-office
   environmentpath     = $confdir/environments
   basemodulepath      = $confdir/modules:/usr/share/puppet/modules
   environment_timeout = 30s
   pluginsync          = false
   ca                  = false

   # Passenger
   ssl_client_header        = SSL_CLIENT_S_DN
   ssl_client_verify_header = SSL_CLIENT_VERIFY

   reports     = store
   reportfrom  = puppet@mydomain.com
[agent]
   certname    = serv.office.mydomain.com
   server      = puppet-office
   pluginsync  = false
   runinterval = 25m

These are the steps I've taken

-The main puppetserver/ca is running in a good state, servicing puppet agents -The new puppetserver is not running, the /etc/puppet directory only contains environments, modules, puppet.conf

-Run the puppet agent on puppet-office and sign the request on puppet-ca:

puppet-office:

puppet agent --test --waitforcert 10
Info: Creating a new SSL key for serv.office.mydomain.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for serv.office.mydomain.com
Info: Certificate Request fingerprint (SHA256): 32:31:1D:0F:6A:AF:DA:03:B3:15:D4:8A:91:9C:98:3E:B8:D7:FC:01:D9:C7:DE:06:03:39:EC:A2:5B:D0:37:13
Info: Caching certificate for ca
Info: Caching certificate for serv.office.mydomain.com
Info: Caching certificate_revocation_list for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Connection refused - connect(2)
Info: Loading facts
Error: Could not retrieve catalog from remote server: Connection refused - connect(2)
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Connection refused - connect(2)

puppet-ca:

puppet cert sign "serv.office.mydomain.com"
Notice: Signed certificate request for serv.office.mydomain.com
Notice: Removing file Puppet::SSL::CertificateRequest serv.office.mydomain.com at '/etc/puppet/ssl/ca/requests/serv.office.mydomain.com.pem'

-I start puppetserver on puppet-office

service puppetserver start

-Puppet agent run on puppet-office

Warning: Unable to fetch my ...
(more)
edit retag flag offensive close merge delete