Ask Your Question

Autosigning puppet master certs in a multi-master environment

asked 2017-06-12 13:43:43 -0600

JDFlanigan gravatar image

I'm running a multi-master setup with a centralized CA. The full stack runs in a docker swarm with containers running puppetserver as strictly non-CA masters, and a puppetserver-based CA with a mounted file system that contains all of the certificates. Everything is working great, but I'd like to automate the signing of master certificates so that scaling this system is completely automated. The problem is, my masters all contain DNS alt names, so the CA refuses to autosign their certificates despite the domains being on the whitelist. Has anyone tried a similar setup where certificate signing is automated for masters only? Is there some workaround for this? I've explored the puppet dockerhub, but it doesn't seem to contain much information on multi-master docker setups.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-06-13 13:35:39 -0600

JDFlanigan gravatar image

Going to go ahead and answer my own question for anyon who might run into this issue. The solution was to mount a directory to the master container's /etc/puppetlabs/puppet/ssl directory and sign one certificate. Any future master containers that join the swarm should mount this directory, use that certificate, and they will work just fine so long as every master has the same hostname.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-06-12 13:43:43 -0600

Seen: 46 times

Last updated: Jun 13 '17