Puppet users - Oct 2012 - multiple puppetmasters, 1 as the CA. Using passenger and mod_proxy

HI all,

I am currently setting up a HA devops configuration using puppet. I want to 
be able to run a single puppet master as the CA and the rest act as peering 
puppet masters. I have each puppet master running on passenger and I am 
proxying the SSL requests to the CA server following:

http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
http://docs.puppetlabs.com/guides/passenger.html

as a reference.

Watching the access.log on each master, when an agent requests a cert from 
a puppetmaster that is *not* the CA, I can see the request forwarded: 
(below)

.4 is the agent
.3 us the master proxying the request
puppetca is the acting CA for all masters

*Here is the what logs in access.log for the puppetmaster that is NOT the 
CA.*
ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET 
/production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-"
"-"

*Here is what logs in the master which IS the CA*
puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /"
400
588 "-" "-"

*Here is what I am receiving on the Agents end.*
warning: peer certificate won''t be verified in this SSL session
err: Could not request certificate: No content type in http response; 
cannot parse

Attached are the config files for the vhost for the masters, labeled CA and 
NONCA. Also attached are the config.ru for the rack app and httpd.conf whre 
the proxy balancer is specified.

Any help is appreciated. I just started debugging but feedback is 
appreciated if anyone has ideas.

-r



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/7ws4VMcUxE8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

We don''t run that configuration on Corp Puppet servers; we change
ca_server.

You may have better luck if you ask on puppet-users.

https://groups.google.com/forum/?fromgroups#!forum/puppet-users

Thanks,
Jason

On Fri, Oct 26, 2012 at 1:06 PM, ryan wallner <wallnerryan@gmail.com>
wrote:
>
> HI all,
>
> I am currently setting up a HA devops configuration using puppet. I want to
be able to run a single puppet master as the CA and the rest act as peering
puppet masters. I have each puppet master running on passenger and I am proxying
the SSL requests to the CA server following:
>
>
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
> http://docs.puppetlabs.com/guides/passenger.html
>
> as a reference.
>
> Watching the access.log on each master, when an agent requests a cert from
a puppetmaster that is not the CA, I can see the request forwarded: (below)
>
> .4 is the agent
> .3 us the master proxying the request
> puppetca is the acting CA for all masters
>
> Here is the what logs in access.log for the puppetmaster that is NOT the
CA.
> ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400]
"GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245
"-" "-"
>
> Here is what logs in the master which IS the CA
> puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET
/" 400 588 "-" "-"
>
> Here is what I am receiving on the Agents end.
> warning: peer certificate won''t be verified in this SSL session
> err: Could not request certificate: No content type in http response;
cannot parse
>
> Attached are the config files for the vhost for the masters, labeled CA and
NONCA. Also attached are the config.ru for the rack app and httpd.conf whre the
proxy balancer is specified.
>
> Any help is appreciated. I just started debugging but feedback is
appreciated if anyone has ideas.
>
> -r
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/7ws4VMcUxE8J.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.



--
"Life was better when sun4m mattered."  -Thom

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

thanks Jason. Didn''t realize I didn''t post it as a new thread.

Have a good one.

On Friday, October 26, 2012 4:44:30 PM UTC-4, jwright
wrote:
>
> We don''t run that configuration on Corp Puppet servers; we change 
> ca_server. 
>
> You may have better luck if you ask on puppet-users. 
>
> https://groups.google.com/forum/?fromgroups#!forum/puppet-users 
>
> Thanks, 
> Jason 
>
> On Fri, Oct 26, 2012 at 1:06 PM, ryan wallner
<walln...@gmail.com<javascript:>>
> wrote: 
> > 
> > HI all, 
> > 
> > I am currently setting up a HA devops configuration using puppet. I
want
> to be able to run a single puppet master as the CA and the rest act as 
> peering puppet masters. I have each puppet master running on passenger and 
> I am proxying the SSL requests to the CA server following: 
> > 
> > 
>
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
> > http://docs.puppetlabs.com/guides/passenger.html 
> > 
> > as a reference. 
> > 
> > Watching the access.log on each master, when an agent requests a cert 
> from a puppetmaster that is not the CA, I can see the request forwarded: 
> (below) 
> > 
> > .4 is the agent 
> > .3 us the master proxying the request 
> > puppetca is the acting CA for all masters 
> > 
> > Here is the what logs in access.log for the puppetmaster that is NOT
the
> CA. 
> > ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] 
> "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245
"-" "-"
> > 
> > Here is what logs in the master which IS the CA 
> > puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET
/" 400
> 588 "-" "-" 
> > 
> > Here is what I am receiving on the Agents end. 
> > warning: peer certificate won''t be verified in this SSL
session
> > err: Could not request certificate: No content type in http response; 
> cannot parse 
> > 
> > Attached are the config files for the vhost for the masters, labeled
CA
> and NONCA. Also attached are the config.ru for the rack app and 
> httpd.conf whre the proxy balancer is specified. 
> > 
> > Any help is appreciated. I just started debugging but feedback is 
> appreciated if anyone has ideas. 
> > 
> > -r 
> > 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Puppet Users" group. 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msg/puppet-users/-/7ws4VMcUxE8J. 
> > To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> > To unsubscribe from this group, send email to 
> puppet-users...@googlegroups.com <javascript:>. 
> > For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en. 
>
>
>
>
> -- 
> "Life was better when sun4m mattered."  -Thom 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/LoRsdlHusE4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.