I did a quick look for it but I could not find it. When it comes to puppet masters, is it required to copy the puppet/ssl/ca directory to each puppet master or is there a configuration to make the puppet master not try to generate its own CA if there is a ca_server option specified? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/9BVZR8rIQ24J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Aug 13, 2012 at 6:46 AM, Matt <mjblack@gmail.com> wrote:> I did a quick look for it but I could not find it. When it comes to puppet > masters, is it required to copy the puppet/ssl/ca directory to each puppet > master or is there a configuration to make the puppet master not try to > generate its own CA if there is a ca_server option specified? >When running multiple puppet masters I recommend maintaining only one Puppet CA if possible. You can disable the CA on the masters and configure the agents to talk to the CA using the ca_port and ca_server options. This is my recommendation, but there are lots of alternative architectures that may be a better fit for your scenario. Hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Right, thats what I am trying to do but what is happening that I''m seeing is the masters are creating their own CA. The error I am seeing is this. info: Creating a new SSL key for ca debug: Using cached certificate for ca Could not prepare for execution: The certificate retrieved from the master does not match the agent''s private key. Certificate fingerprint: 75:67:F9:A4:C0:BC:8E:4F:15:63:C4:12:48:4C:75:32 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. When I copy the contents of the CA dir from the CA server over it works fine but this creates a headache to copy the contents over. The agent on that specific master runs fine though and has no complaints. On Monday, August 13, 2012 11:05:22 AM UTC-4, Jeff McCune wrote:> > On Mon, Aug 13, 2012 at 6:46 AM, Matt <mjb...@gmail.com <javascript:>>wrote: > >> I did a quick look for it but I could not find it. When it comes to >> puppet masters, is it required to copy the puppet/ssl/ca directory to each >> puppet master or is there a configuration to make the puppet master not try >> to generate its own CA if there is a ca_server option specified? >> > > When running multiple puppet masters I recommend maintaining only one > Puppet CA if possible. You can disable the CA on the masters and configure > the agents to talk to the CA using the ca_port and ca_server options. > > This is my recommendation, but there are lots of alternative architectures > that may be a better fit for your scenario. > > Hope this helps, > -Jeff > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6UpARILaU_IJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Monday, August 13, 2012, Matt wrote:> Right, thats what I am trying to do but what is happening that I''m seeing > is the masters are creating their own CA. The error I am seeing is this.You should get a SSL certificate for the master using puppet cert generate on the ca. Unfortunately you have to manually copy it into place. The CA shouldn''t be generated if the is a server cert and the ca is disabled in the config file with ca = false.> > info: Creating a new SSL key for ca > debug: Using cached certificate for ca > Could not prepare for execution: The certificate retrieved from the master > does not match the agent''s private key. > Certificate fingerprint: 75:67:F9:A4:C0:BC:8E:4F:15:63:C4:12:48:4C:75:32 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > > > When I copy the contents of the CA dir from the CA server over it works > fine but this creates a headache to copy the contents over. The agent on > that specific master runs fine though and has no complaints. > > On Monday, August 13, 2012 11:05:22 AM UTC-4, Jeff McCune wrote: >> >> On Mon, Aug 13, 2012 at 6:46 AM, Matt <mjb...@gmail.com> wrote: >> >>> I did a quick look for it but I could not find it. When it comes to >>> puppet masters, is it required to copy the puppet/ssl/ca directory to each >>> puppet master or is there a configuration to make the puppet master not try >>> to generate its own CA if there is a ca_server option specified? >>> >> >> When running multiple puppet masters I recommend maintaining only one >> Puppet CA if possible. You can disable the CA on the masters and configure >> the agents to talk to the CA using the ca_port and ca_server options. >> >> This is my recommendation, but there are lots of alternative >> architectures that may be a better fit for your scenario. >> >> Hope this helps, >> -Jeff >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/6UpARILaU_IJ. > To post to this group, send email to puppet-users@googlegroups.com<javascript:_e({}, ''cvml'', ''puppet-users@googlegroups.com'');> > . > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com <javascript:_e({}, ''cvml'', > ''puppet-users%2Bunsubscribe@googlegroups.com'');>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yup that was the missing entry. I didnt have the ca setting at all disabled. Thanks! On Monday, August 13, 2012 11:53:56 AM UTC-4, Jeff McCune wrote:> > On Monday, August 13, 2012, Matt wrote: > >> Right, thats what I am trying to do but what is happening that I''m seeing >> is the masters are creating their own CA. The error I am seeing is this. > > > You should get a SSL certificate for the master using puppet cert generate > on the ca. Unfortunately you have to manually copy it into place. The CA > shouldn''t be generated if the is a server cert and the ca is disabled in > the config file with ca = false. > > > > > >> >> info: Creating a new SSL key for ca >> debug: Using cached certificate for ca >> Could not prepare for execution: The certificate retrieved from the >> master does not match the agent''s private key. >> Certificate fingerprint: 75:67:F9:A4:C0:BC:8E:4F:15:63:C4:12:48:4C:75:32 >> To fix this, remove the certificate from both the master and the agent >> and then start a puppet run, which will automatically regenerate a >> certficate. >> >> >> When I copy the contents of the CA dir from the CA server over it works >> fine but this creates a headache to copy the contents over. The agent on >> that specific master runs fine though and has no complaints. >> >> On Monday, August 13, 2012 11:05:22 AM UTC-4, Jeff McCune wrote: >>> >>> On Mon, Aug 13, 2012 at 6:46 AM, Matt <mjb...@gmail.com> wrote: >>> >>>> I did a quick look for it but I could not find it. When it comes to >>>> puppet masters, is it required to copy the puppet/ssl/ca directory to each >>>> puppet master or is there a configuration to make the puppet master not try >>>> to generate its own CA if there is a ca_server option specified? >>>> >>> >>> When running multiple puppet masters I recommend maintaining only one >>> Puppet CA if possible. You can disable the CA on the masters and configure >>> the agents to talk to the CA using the ca_port and ca_server options. >>> >>> This is my recommendation, but there are lots of alternative >>> architectures that may be a better fit for your scenario. >>> >>> Hope this helps, >>> -Jeff >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/6UpARILaU_IJ. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VZoj7qRDp4AJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.