Ask Your Question

Multiple Puppet masters with single CA server

asked 2013-10-24 04:45:07 -0600

Daenney gravatar image

updated 2013-10-25 12:53:48 -0600

I'm transitioning my Puppet setup from a single master to a master+PuppetDB per datacenter and one master that will only do CA.

The new masters will be configured with ca=false and ca_server=the-ca-master to centralise the CA activities on a single machine. I realise this creates a SPOF but that is not the issue.

What I'm running into is that every nginx server on the 'functional' masters needs to have the SSL stuff configured including CRL etc. meaning that for now the only solution I can find is to sync the necessary files like crl.pem ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-10-25 12:53:10 -0600

Daenney gravatar image

updated 2013-10-25 13:27:43 -0600

I made some interesting discoveries while trying to solve the problem. The good part is, Puppet solves half of the issue for you, the bad side is it creates a security hole.

When the Puppet agent is run on a master (I'm not sure if it happens on non-masters too) the crl.pem file is downloaded from the actual CA server and cached. This is what I mean with 'Puppet solves half of the issue', you don't have to distribute the CRL yourself.

Now the security issue: it never actually 'busts' the cache meaning that ones the crl ... (more)

edit flag offensive delete link more

answered 2013-10-25 13:06:31 -0600

nibalizer gravatar image

The Puppet CA server supports pulling down the current crl via REST. An example curl command is:

curl -k -H "Accept: s" https://puppetmaster:8140/production/certificate_revocation_list/ca

This only works if you have a certificate that you are using to authenticate. To open the crl up to everyone, authenticated or not, you can put this in your auth.conf file (which goes next to puppet.conf):

path /certificate_revocation_list
auth any
method find
allow *


edit flag offensive delete link more


Thanks, I missed the API, that'll go into my cronjob.

Daenney gravatar imageDaenney ( 2013-10-25 13:24:46 -0600 )edit

If anyone is interested I put together a shell script that will authenticate and connect to the puppetca rest api, download the crl, and move it once it has been validated by openssl: (it should autodetect any vars through puppet agent)

Derek gravatar imageDerek ( 2014-11-12 19:45:08 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2013-10-24 04:45:07 -0600

Seen: 2,766 times

Last updated: Oct 25 '13