Ask Your Question
0

Configure CA Proxy on puppetserver 2.3.2

asked 2016-11-10 09:41:40 -0500

ddk gravatar image

updated 2016-11-14 03:41:27 -0500

We are running a central CA on one of the puppet master server. Before we used ca_server configuration inside the puppet.conf for all our clients. Now we would like to configure CA proxy on the compile master, so all of the certificate requests can be forward to CA, but none of the clients need to have direct contact with the CA master.

We have followed the following documents from puppetlab,: link text

However the client cannot reach any ca after that ;

Error: Could not request certificate: Find /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true resulted in 40tml>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 404 </title>
</head>
<body>
<h2>HTTP ERROR: 404</h2>
<p>Problem accessing /puppet-ca/v1/certificate/ca. Reason:
<pre>    Not Found</pre></p>
<hr /><i><small>Powered by Jetty://</small></i>
</body>
</html>

I am not sure if this is due to misconfiguration, or this feature is not available for the open source version. Can any one help ?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2016-11-12 06:38:27 -0500

updated 2016-11-16 07:00:25 -0500

External CA Configuration

External SSL Termination

Having applied the configurations specified in links above, you can then setup an apache vhost to proxy the certificate requests to the CA. Reference this vhost configuration for an example.

edit flag offensive delete link more
0

answered 2016-11-14 11:15:45 -0500

camlow325 gravatar image

Following the documentation in the link that you provided, the CA running on the compile-only master would be completely disabled - not configured to perform as a proxy to another node. In that mode, it is assumed that you would be distributing certificates to your agents out-of-band such that the agent would never try to request a certificate from the compile-only master. This is probably not the functionality that you are looking for.

There is a feature in Puppet Server in Puppet Enterprise - 3.7 and later - which allows the CA on a compile-only master to be configured to proxy requests over to CA running on another node. This feature, however, does not exist in the open-source Puppet Server releases.

edit flag offensive delete link more

Comments

Thank you, We started to work on this CA proxy because we saw it working with the PE version. But apparently there are some pe-only code deployed during configuring the compile master. So I guess this is it. Thank you for confirming it.

ddk gravatar imageddk ( 2016-11-16 08:21:03 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-11-10 09:41:40 -0500

Seen: 194 times

Last updated: Nov 16 '16