Puppet users - Jan 2010 - What does it take to use a second fileserver?

I''ve a manifest that is trying to use a fileserver resource
I''ve
configured on a second puppetmaster.  The second puppetmaster is
actually working as the main puppetmaster for my domain - this new
puppetmaster is one I''ve set up to test migrating to new manifests.

Unfortunately, I''ve re-entered SSL hell trying to access the
"software"
fileserver on the second puppetmaster:
Failed to retrieve current state of resource: Certificates were not
trusted: certificate verify failed Could not describe
/software/stock-rx-db.sql: Certificates were not trusted: certificate
verify failed

Trying to use a reference like:
source => "puppet://$my_sw_fileserver/software/stock-rx-db.sql"

This is on Puppet 0.24.8.  Is there something "special" that needs to
be
done to have a Puppet client trust a second fileserver/puppetmaster?

Thanks in advance for any advice.
-Alan


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sun, Jan 31, 2010 at 11:13 AM, Alan Sparks
<asparks@doublesparks.net>wrote:
> I''ve a manifest that is trying to use a fileserver resource
I''ve
> configured on a second puppetmaster.  The second puppetmaster is
> actually working as the main puppetmaster for my domain - this new
> puppetmaster is one I''ve set up to test migrating to new
manifests.
>
To simplify an environment with multi puppetmasters, your primary
puppetmaster should serve as the CA for all clients as well the secondary
puppet masters.

you can disable the CA functionality on the secondary puppet masters as
follows.

[puppetmasterd]
ca = false

then the clients should specify which CA they will use

[puppetd]
ca_server = primarypuppetmaster.blah.net

the secondary puppet masters should authenticate with the primary
puppetmaster before any clients connect.

Let me know if this resolves your issue.

-Dan

> Unfortunately, I''ve re-entered SSL hell trying to access the
"software"
> fileserver on the second puppetmaster:
> Failed to retrieve current state of resource: Certificates were not
> trusted: certificate verify failed Could not describe
> /software/stock-rx-db.sql: Certificates were not trusted: certificate
> verify failed
>
> Trying to use a reference like:
> source =>
"puppet://$my_sw_fileserver/software/stock-rx-db.sql"
>
> This is on Puppet 0.24.8.  Is there something "special" that
needs to be
> done to have a Puppet client trust a second fileserver/puppetmaster?
>
> Thanks in advance for any advice.
> -Alan
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Dan Bode wrote:
>
>
> On Sun, Jan 31, 2010 at 11:13 AM, Alan Sparks
> <asparks@doublesparks.net <mailto:asparks@doublesparks.net>>
wrote:
>
>     I''ve a manifest that is trying to use a fileserver resource
I''ve
>     configured on a second puppetmaster.  The second puppetmaster is
>     actually working as the main puppetmaster for my domain - this new
>     puppetmaster is one I''ve set up to test migrating to new
manifests.
>
>
> To simplify an environment with multi puppetmasters, your primary
> puppetmaster should serve as the CA for all clients as well the
> secondary puppet masters.
>
> you can disable the CA functionality on the secondary puppet masters
> as follows.
>
> [puppetmasterd]
> ca = false
>
Since the secondary puppetmaster in this case is running as a primary
legacy puppetmaster for clients, this will likely break them, correct?
> then the clients should specify which CA they will use
>
> [puppetd]
> ca_server = primarypuppetmaster.blah.net
> <http://primarypuppetmaster.blah.net>
>
> the secondary puppet masters should authenticate with the primary
> puppetmaster before any clients connect.

I don''t understand this statement - authenticate how?

Thanks for the response.
-Alan


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sun, Jan 31, 2010 at 4:49 PM, Alan Sparks
<asparks@doublesparks.net>wrote:
> Dan Bode wrote:
> >
> >
> > On Sun, Jan 31, 2010 at 11:13 AM, Alan Sparks
> > <asparks@doublesparks.net
<mailto:asparks@doublesparks.net>> wrote:
> >
> >     I''ve a manifest that is trying to use a fileserver
resource I''ve
> >     configured on a second puppetmaster.  The second puppetmaster is
> >     actually working as the main puppetmaster for my domain - this new
> >     puppetmaster is one I''ve set up to test migrating to new
manifests.
> >
> >
> > To simplify an environment with multi puppetmasters, your primary
> > puppetmaster should serve as the CA for all clients as well the
> > secondary puppet masters.
> >
> > you can disable the CA functionality on the secondary puppet masters
> > as follows.
> >
> > [puppetmasterd]
> > ca = false
> >
>
> Since the secondary puppetmaster in this case is running as a primary
> legacy puppetmaster for clients, this will likely break them, correct?
>
yes, it would be best to allow the existing CA (your old puppetmaster) to
serve as the CA, otherwise you will have to rip out all of the certs and
start over. I think its possible just to copy over the CA directory to the
new primary puppetmaster (although I wouldnt swear by it)

>  > then the clients should specify which CA they will use
> >
> > [puppetd]
> > ca_server = primarypuppetmaster.blah.net
> > <http://primarypuppetmaster.blah.net>
> >
> > the secondary puppet masters should authenticate with the primary
> > puppetmaster before any clients connect.
>
>
> I don''t understand this statement - authenticate how?
>
I guess authenticate is not the best word to use, what I mean is that both
the clients and the servers need to have their certs signed by the same
trusted CA, this not only signs the certs, but also establishes trust with
that CA (ie: I trust whoever you sign). Then they will accept each others
certs since they know they have been signed by the trusted CA (ie: the one
that signed me)

The order is:

1. start primary puppetserver,  (that will serve as CA)
2. run puppetd on secondary puppetserver host, the CA will sign its cert.
3. start secondary puppet server, be sure to specify ca=false
4. now run the clients, and specify that the primary puppetmaster is the
ca_server.


> Thanks for the response.
> -Alan
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.