hi,
i''m trying to set up my puppetmaster infrastructure with multiple
puppetservers behind load balancers in each of our datacenters. i''m
using 0.24.6. i''ve read the howto on puppet scalability, and i think
i''ve got the ssl config working correct, but i''m noticing that
when
puppetd is used to build a puppetmaster, some of the files in $vardir/
ssl conflict. from other posts on this list, i''ve gathered that
it''s
NOT best practice to specify different ssl dirs for puppetd and
puppetmaster. i actually tried that and noticed that "puppetca --
clean" refused to look in the ssl dir that puppetmasterd was using...
it was looking in /var/lib/puppet/ssl which was puppetd''s ssl dir.
so, i''m back to using one ssldir for puppetd and puppetmasterd.
so, my problem is i start my puppetd, it successfully talks to my
exisitng puppet master, gets a cert, and starts applying the config.
when it gets to the part where it runs puppetmasterd for the first
time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd
initialization process. this prevents puppetd from working until i go
back in and fix it. is there a trick to get this working that i am
missing? i''ve also noticed that puppetd and puppetmasterd both create
host certificates with the same name, which is $vardir/ssl/certs/
$fqdn.pem. however, the cert that puppetd makes does not have the
subject alternative names for "puppet", etc. i got around this by
specifying "certname = puppet" in my puppetmaster section of the
config, so that it creates a file called puppet.pem instead. if
anyone has any ideas what i might be doing wrong, please let me know.
i''ve included my puppet.conf below.
thanks!
-drew
[main]
# Where Puppet stores dynamic and growing data.
# The default value is ''/var/puppet''.
vardir = /var/lib/puppet
# The Puppet log directory.
# The default value is ''$vardir/log''.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is ''$vardir/run''.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $vardir/ssl
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is ''$confdir/classes.txt''.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is ''$confdir/localconfig''.
localconfig = $vardir/localconfig
runinterval = 120
#factsync = true
# These settings are necessary to enable plugin support via
modules
# Our custom facter facts rely on this
pluginsync=true
pluginsource = puppet://$server/plugins
plugindest = $vardir/lib
factpath = $vardir/lib/facter
factdest = $vardir/lib/facter
[puppetmasterd]
modulepath = /var/lib/puppet/modules
certname = puppet
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Hi, Answering you really depends on how do you setup your CA.. do you use a certificate chain? in general, the puppetmaster process needs to run at least once to generate all files required in the ssl directory, but that should not conflict with the puppetd if you have the right certificate setup ;) I use a certificate chain, which means that i add the public key of the "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. (see http://reductivelabs.com/trac/puppet/wiki/PuppetScalability - I''ve posted my setup under ceneralized setup). I use puppet to mange quite a few puppet masters in different locations, i was able to publish most of my puppetmaster module, and you could find it at : http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master Cheers, Ohad On Thu, Dec 4, 2008 at 9:25 AM, Andrew <drew88@gmail.com> wrote:> > hi, > i''m trying to set up my puppetmaster infrastructure with multiple > puppetservers behind load balancers in each of our datacenters. i''m > using 0.24.6. i''ve read the howto on puppet scalability, and i think > i''ve got the ssl config working correct, but i''m noticing that when > puppetd is used to build a puppetmaster, some of the files in $vardir/ > ssl conflict. from other posts on this list, i''ve gathered that it''s > NOT best practice to specify different ssl dirs for puppetd and > puppetmaster. i actually tried that and noticed that "puppetca -- > clean" refused to look in the ssl dir that puppetmasterd was using... > it was looking in /var/lib/puppet/ssl which was puppetd''s ssl dir. > so, i''m back to using one ssldir for puppetd and puppetmasterd. > > so, my problem is i start my puppetd, it successfully talks to my > exisitng puppet master, gets a cert, and starts applying the config. > when it gets to the part where it runs puppetmasterd for the first > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > initialization process. this prevents puppetd from working until i go > back in and fix it. is there a trick to get this working that i am > missing? i''ve also noticed that puppetd and puppetmasterd both create > host certificates with the same name, which is $vardir/ssl/certs/ > $fqdn.pem. however, the cert that puppetd makes does not have the > subject alternative names for "puppet", etc. i got around this by > specifying "certname = puppet" in my puppetmaster section of the > config, so that it creates a file called puppet.pem instead. if > anyone has any ideas what i might be doing wrong, please let me know. > i''ve included my puppet.conf below. > > thanks! > -drew > > [main] > # Where Puppet stores dynamic and growing data. > # The default value is ''/var/puppet''. > vardir = /var/lib/puppet > > # The Puppet log directory. > # The default value is ''$vardir/log''. > logdir = /var/log/puppet > > # Where Puppet PID files are kept. > # The default value is ''$vardir/run''. > rundir = /var/run/puppet > > # Where SSL certificates are kept. > # The default value is ''$confdir/ssl''. > ssldir = $vardir/ssl > > [puppetd] > # The file in which puppetd stores a list of the classes > # associated with the retrieved configuratiion. Can be loaded in > # the separate ``puppet`` executable using the ``--loadclasses`` > # option. > # The default value is ''$confdir/classes.txt''. > classfile = $vardir/classes.txt > > # Where puppetd caches the local configuration. An > # extension indicating the cache format is added automatically. > # The default value is ''$confdir/localconfig''. > localconfig = $vardir/localconfig > runinterval = 120 > #factsync = true > > # These settings are necessary to enable plugin support via > modules > # Our custom facter facts rely on this > pluginsync=true > pluginsource = puppet://$server/plugins > plugindest = $vardir/lib > factpath = $vardir/lib/facter > factdest = $vardir/lib/facter > > [puppetmasterd] > modulepath = /var/lib/puppet/modules > certname = puppet > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
ohad, i''m using the cert chain exactly as described in http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. the problem is, it seems both puppetd and puppetmasterd want to create / var/lib/puppet/ssl/certs/ca.pem. adding the puppeteer''s ca_crt.pem to ca.pem on a new client will allow that new client to hit any of the new puppetmasters, as i understand it, but i''m talking about building one of the new puppetmasters via puppetd which is talking to the puppeteer. have i configured something wrong to make both puppetd and puppetmasterd want to use the same ca.pem file? am i incorrect in assuming i can talk to the puppeteer as a puppetd client to build a puppetmaster? what about /var/lib/puppet/ssl/certs/$fqdn.pem? that file also appears to be created by whichever process runs first, and i dont see a way to get it to work for both puppetd and puppetmasterd. thanks, -drew On Dec 3, 6:44 pm, "Ohad Levy" <ohadl...@gmail.com> wrote:> Hi, > > Answering you really depends on how do you setup your CA.. do you use a > certificate chain? > > in general, the puppetmaster process needs to run at least once to generate > all files required in the ssl directory, but that should not conflict with > the puppetd if you have the right certificate setup ;) > > I use a certificate chain, which means that i add the public key of the > "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. > (seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability- I''ve > posted my setup under ceneralized setup). > > I use puppet to mange quite a few puppet masters in different locations, i > was able to publish most of my puppetmaster module, and you could find it at > :http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master > > Cheers, > Ohad > > On Thu, Dec 4, 2008 at 9:25 AM, Andrew <dre...@gmail.com> wrote: > > > hi, > > i''m trying to set up my puppetmaster infrastructure with multiple > > puppetservers behind load balancers in each of our datacenters. i''m > > using 0.24.6. i''ve read the howto on puppet scalability, and i think > > i''ve got the ssl config working correct, but i''m noticing that when > > puppetd is used to build a puppetmaster, some of the files in $vardir/ > > ssl conflict. from other posts on this list, i''ve gathered that it''s > > NOT best practice to specify different ssl dirs for puppetd and > > puppetmaster. i actually tried that and noticed that "puppetca -- > > clean" refused to look in the ssl dir that puppetmasterd was using... > > it was looking in /var/lib/puppet/ssl which was puppetd''s ssl dir. > > so, i''m back to using one ssldir for puppetd and puppetmasterd. > > > so, my problem is i start my puppetd, it successfully talks to my > > exisitng puppet master, gets a cert, and starts applying the config. > > when it gets to the part where it runs puppetmasterd for the first > > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > > initialization process. this prevents puppetd from working until i go > > back in and fix it. is there a trick to get this working that i am > > missing? i''ve also noticed that puppetd and puppetmasterd both create > > host certificates with the same name, which is $vardir/ssl/certs/ > > $fqdn.pem. however, the cert that puppetd makes does not have the > > subject alternative names for "puppet", etc. i got around this by > > specifying "certname = puppet" in my puppetmaster section of the > > config, so that it creates a file called puppet.pem instead. if > > anyone has any ideas what i might be doing wrong, please let me know. > > i''ve included my puppet.conf below. > > > thanks! > > -drew > > > [main] > > # Where Puppet stores dynamic and growing data. > > # The default value is ''/var/puppet''. > > vardir = /var/lib/puppet > > > # The Puppet log directory. > > # The default value is ''$vardir/log''. > > logdir = /var/log/puppet > > > # Where Puppet PID files are kept. > > # The default value is ''$vardir/run''. > > rundir = /var/run/puppet > > > # Where SSL certificates are kept. > > # The default value is ''$confdir/ssl''. > > ssldir = $vardir/ssl > > > [puppetd] > > # The file in which puppetd stores a list of the classes > > # associated with the retrieved configuratiion. Can be loaded in > > # the separate ``puppet`` executable using the ``--loadclasses`` > > # option. > > # The default value is ''$confdir/classes.txt''. > > classfile = $vardir/classes.txt > > > # Where puppetd caches the local configuration. An > > # extension indicating the cache format is added automatically. > > # The default value is ''$confdir/localconfig''. > > localconfig = $vardir/localconfig > > runinterval = 120 > > #factsync = true > > > # These settings are necessary to enable plugin support via > > modules > > # Our custom facter facts rely on this > > pluginsync=true > > pluginsource = puppet://$server/plugins > > plugindest = $vardir/lib > > factpath = $vardir/lib/facter > > factdest = $vardir/lib/facter > > > [puppetmasterd] > > modulepath = /var/lib/puppet/modules > > certname = puppet--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I''m a bit confused of how you use your certificate chain, I''ll try to describe how I''m doing it, hopefully it will work for you: as described in the link, we have 3 types of puppets: A - puppeteer - the root certificate CA (only one server of this type) B - Pupppetmasters - the servers that actually provide the configuration to the clients (could be many, all of them are clients of A) C - normal puppetd clients. Creating A is like any other puppetmaster setup. Creating B is like any normal client, but, requires that they key used will be signed by the puppeteer in a sepcial way (see the openssl script in the puppet-scalability page). So basicily - you create a normal client with puppetd - sign it normally using A and let puppetd run, then when puppetmaster is running, additional CA files should be created, but puppetd should still be able to run aginst A. afterwards, you run the special script (manually or automaticily) while puppetmaster and apache are turned off!, this replaces the certificate used by the puppetmaster. afterwards, you can install normal clients, and the only thing is that you need to add the puppeteer certificate into the ssl/certs/ca.pem. The only thing that doesn''t work in this setup, and I hope to nail it sometime soon, is the certificate revokatoin. Hope this helps, Ohad On Fri, Dec 5, 2008 at 11:48 PM, Andrew <drew88@gmail.com> wrote:> > ohad, > i''m using the cert chain exactly as described in > http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. the > problem is, it seems both puppetd and puppetmasterd want to create / > var/lib/puppet/ssl/certs/ca.pem. adding the puppeteer''s ca_crt.pem to > ca.pem on a new client will allow that new client to hit any of the > new puppetmasters, as i understand it, but i''m talking about building > one of the new puppetmasters via puppetd which is talking to the > puppeteer. have i configured something wrong to make both puppetd and > puppetmasterd want to use the same ca.pem file? am i incorrect in > assuming i can talk to the puppeteer as a puppetd client to build a > puppetmaster? what about /var/lib/puppet/ssl/certs/$fqdn.pem? that > file also appears to be created by whichever process runs first, and i > dont see a way to get it to work for both puppetd and puppetmasterd. > > thanks, > -drew > > > > On Dec 3, 6:44 pm, "Ohad Levy" <ohadl...@gmail.com> wrote: > > Hi, > > > > Answering you really depends on how do you setup your CA.. do you use a > > certificate chain? > > > > in general, the puppetmaster process needs to run at least once to > generate > > all files required in the ssl directory, but that should not conflict > with > > the puppetd if you have the right certificate setup ;) > > > > I use a certificate chain, which means that i add the public key of the > > "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. > > (seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability- I''ve > > posted my setup under ceneralized setup). > > > > I use puppet to mange quite a few puppet masters in different locations, > i > > was able to publish most of my puppetmaster module, and you could find it > at > > :http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master > > > > Cheers, > > Ohad > > > > On Thu, Dec 4, 2008 at 9:25 AM, Andrew <dre...@gmail.com> wrote: > > > > > hi, > > > i''m trying to set up my puppetmaster infrastructure with multiple > > > puppetservers behind load balancers in each of our datacenters. i''m > > > using 0.24.6. i''ve read the howto on puppet scalability, and i think > > > i''ve got the ssl config working correct, but i''m noticing that when > > > puppetd is used to build a puppetmaster, some of the files in $vardir/ > > > ssl conflict. from other posts on this list, i''ve gathered that it''s > > > NOT best practice to specify different ssl dirs for puppetd and > > > puppetmaster. i actually tried that and noticed that "puppetca -- > > > clean" refused to look in the ssl dir that puppetmasterd was using... > > > it was looking in /var/lib/puppet/ssl which was puppetd''s ssl dir. > > > so, i''m back to using one ssldir for puppetd and puppetmasterd. > > > > > so, my problem is i start my puppetd, it successfully talks to my > > > exisitng puppet master, gets a cert, and starts applying the config. > > > when it gets to the part where it runs puppetmasterd for the first > > > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > > > initialization process. this prevents puppetd from working until i go > > > back in and fix it. is there a trick to get this working that i am > > > missing? i''ve also noticed that puppetd and puppetmasterd both create > > > host certificates with the same name, which is $vardir/ssl/certs/ > > > $fqdn.pem. however, the cert that puppetd makes does not have the > > > subject alternative names for "puppet", etc. i got around this by > > > specifying "certname = puppet" in my puppetmaster section of the > > > config, so that it creates a file called puppet.pem instead. if > > > anyone has any ideas what i might be doing wrong, please let me know. > > > i''ve included my puppet.conf below. > > > > > thanks! > > > -drew > > > > > [main] > > > # Where Puppet stores dynamic and growing data. > > > # The default value is ''/var/puppet''. > > > vardir = /var/lib/puppet > > > > > # The Puppet log directory. > > > # The default value is ''$vardir/log''. > > > logdir = /var/log/puppet > > > > > # Where Puppet PID files are kept. > > > # The default value is ''$vardir/run''. > > > rundir = /var/run/puppet > > > > > # Where SSL certificates are kept. > > > # The default value is ''$confdir/ssl''. > > > ssldir = $vardir/ssl > > > > > [puppetd] > > > # The file in which puppetd stores a list of the classes > > > # associated with the retrieved configuratiion. Can be loaded in > > > # the separate ``puppet`` executable using the ``--loadclasses`` > > > # option. > > > # The default value is ''$confdir/classes.txt''. > > > classfile = $vardir/classes.txt > > > > > # Where puppetd caches the local configuration. An > > > # extension indicating the cache format is added automatically. > > > # The default value is ''$confdir/localconfig''. > > > localconfig = $vardir/localconfig > > > runinterval = 120 > > > #factsync = true > > > > > # These settings are necessary to enable plugin support via > > > modules > > > # Our custom facter facts rely on this > > > pluginsync=true > > > pluginsource = puppet://$server/plugins > > > plugindest = $vardir/lib > > > factpath = $vardir/lib/facter > > > factdest = $vardir/lib/facter > > > > > [puppetmasterd] > > > modulepath = /var/lib/puppet/modules > > > certname = puppet > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
ohad, the setup you describe is exactly what i am trying to do. the problem seems to arise when i''m building a puppetmaster (host B) and it generates it''s certificates. puppetd stores it''s ca.pem in the same place that puppetmasterd tried to create ca.pem when it starts up. this means the ca.pem file that puppetd created gets clobblered by the file that puppetmasterd creates. i''m running pupeptmasterd as a rails app via passenger, but i still have to run puppetmasterd by itself on the commandline in order to generate the SSL info... maybe that''s my problem? i know my ca_crt.pem gets signed by the puppeteer and i can copy that into place, but i assumed there were other things in the ssldir that needed to be created, and that''s why i am running the puppetmasterd command when i build the server so that everything under the ssldir that puppetmasterd needs gets generated. for example, the server cert with the subject alt name "puppet" doesn''t get generated until i run puppetmasterd as a standalone daemon the first time. from what i can tell, the problems i''m having don''t have anything to do with trying to run multiple puppetmasters simultaneously, it''s a simple issue with running puppetd and puppetmasterd on the same host. from what i''ve read in the list archives, i''m certainly not the only one doing this, but i must have broken something at some point that is causing puppetd and puppetmasterd to conflict on some files they use. (ca.pem and the client cert, $fqdn.pem) i guess my questions boil down to: 1) when building a puppetmaster with puppetd, should i be running the puppetmasterd daemon to generate server ssl certs, etc? 2) should the ca.pem file be the same for puppetd and pupeptmasterd? puppetmasterd is clobbering this file on first run, which prevents subsequent puppetd actions from succeeding. 3) should the client cert used by puppetd and the server cert used by apache/passenger be the same file? unless i use the "certname=" option in my puppetmasterd section of the config, puppetmasterd and puppetd use the same cert. this would be fine, but i need to use the subject alt name "puppet" to talk to these servers, and puppetd does not create the cert with those extensions... only puppetmasterd does. thanks for your help so far... i''ve probably broken something that is causing me to have these issues, i just need to track down what is causing the problem. -drew On Fri, Dec 5, 2008 at 6:37 PM, Ohad Levy <ohadlevy@gmail.com> wrote:> I''m a bit confused of how you use your certificate chain, I''ll try to > describe how I''m doing it, hopefully it will work for you: > > as described in the link, we have 3 types of puppets: > A - puppeteer - the root certificate CA (only one server of this type) > B - Pupppetmasters - the servers that actually provide the configuration to > the clients (could be many, all of them are clients of A) > C - normal puppetd clients. > > Creating A is like any other puppetmaster setup. > Creating B is like any normal client, but, requires that they key used will > be signed by the puppeteer in a sepcial way (see the openssl script in the > puppet-scalability page). > So basicily - you create a normal client with puppetd - sign it normally > using A and let puppetd run, then when puppetmaster is running, additional > CA files should be created, but puppetd should still be able to run aginst > A. > > afterwards, you run the special script (manually or automaticily) while > puppetmaster and apache are turned off!, this replaces the certificate used > by the puppetmaster. > > afterwards, you can install normal clients, and the only thing is that you > need to add the puppeteer certificate into the > ssl/certs/ca.pem. > > The only thing that doesn''t work in this setup, and I hope to nail it > sometime soon, is the certificate revokatoin. > > Hope this helps, > Ohad > > On Fri, Dec 5, 2008 at 11:48 PM, Andrew <drew88@gmail.com> wrote: >> >> ohad, >> i''m using the cert chain exactly as described in >> http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. the >> problem is, it seems both puppetd and puppetmasterd want to create / >> var/lib/puppet/ssl/certs/ca.pem. adding the puppeteer''s ca_crt.pem to >> ca.pem on a new client will allow that new client to hit any of the >> new puppetmasters, as i understand it, but i''m talking about building >> one of the new puppetmasters via puppetd which is talking to the >> puppeteer. have i configured something wrong to make both puppetd and >> puppetmasterd want to use the same ca.pem file? am i incorrect in >> assuming i can talk to the puppeteer as a puppetd client to build a >> puppetmaster? what about /var/lib/puppet/ssl/certs/$fqdn.pem? that >> file also appears to be created by whichever process runs first, and i >> dont see a way to get it to work for both puppetd and puppetmasterd. >> >> thanks, >> -drew >> >> >> >> On Dec 3, 6:44 pm, "Ohad Levy" <ohadl...@gmail.com> wrote: >> > Hi, >> > >> > Answering you really depends on how do you setup your CA.. do you use a >> > certificate chain? >> > >> > in general, the puppetmaster process needs to run at least once to >> > generate >> > all files required in the ssl directory, but that should not conflict >> > with >> > the puppetd if you have the right certificate setup ;) >> > >> > I use a certificate chain, which means that i add the public key of the >> > "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. >> > (seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability- I''ve >> > posted my setup under ceneralized setup). >> > >> > I use puppet to mange quite a few puppet masters in different locations, >> > i >> > was able to publish most of my puppetmaster module, and you could find >> > it at >> > :http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master >> > >> > Cheers, >> > Ohad >> > >> > On Thu, Dec 4, 2008 at 9:25 AM, Andrew <dre...@gmail.com> wrote: >> > >> > > hi, >> > > i''m trying to set up my puppetmaster infrastructure with multiple >> > > puppetservers behind load balancers in each of our datacenters. i''m >> > > using 0.24.6. i''ve read the howto on puppet scalability, and i think >> > > i''ve got the ssl config working correct, but i''m noticing that when >> > > puppetd is used to build a puppetmaster, some of the files in $vardir/ >> > > ssl conflict. from other posts on this list, i''ve gathered that it''s >> > > NOT best practice to specify different ssl dirs for puppetd and >> > > puppetmaster. i actually tried that and noticed that "puppetca -- >> > > clean" refused to look in the ssl dir that puppetmasterd was using... >> > > it was looking in /var/lib/puppet/ssl which was puppetd''s ssl dir. >> > > so, i''m back to using one ssldir for puppetd and puppetmasterd. >> > >> > > so, my problem is i start my puppetd, it successfully talks to my >> > > exisitng puppet master, gets a cert, and starts applying the config. >> > > when it gets to the part where it runs puppetmasterd for the first >> > > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd >> > > initialization process. this prevents puppetd from working until i go >> > > back in and fix it. is there a trick to get this working that i am >> > > missing? i''ve also noticed that puppetd and puppetmasterd both create >> > > host certificates with the same name, which is $vardir/ssl/certs/ >> > > $fqdn.pem. however, the cert that puppetd makes does not have the >> > > subject alternative names for "puppet", etc. i got around this by >> > > specifying "certname = puppet" in my puppetmaster section of the >> > > config, so that it creates a file called puppet.pem instead. if >> > > anyone has any ideas what i might be doing wrong, please let me know. >> > > i''ve included my puppet.conf below. >> > >> > > thanks! >> > > -drew >> > >> > > [main] >> > > # Where Puppet stores dynamic and growing data. >> > > # The default value is ''/var/puppet''. >> > > vardir = /var/lib/puppet >> > >> > > # The Puppet log directory. >> > > # The default value is ''$vardir/log''. >> > > logdir = /var/log/puppet >> > >> > > # Where Puppet PID files are kept. >> > > # The default value is ''$vardir/run''. >> > > rundir = /var/run/puppet >> > >> > > # Where SSL certificates are kept. >> > > # The default value is ''$confdir/ssl''. >> > > ssldir = $vardir/ssl >> > >> > > [puppetd] >> > > # The file in which puppetd stores a list of the classes >> > > # associated with the retrieved configuratiion. Can be loaded in >> > > # the separate ``puppet`` executable using the ``--loadclasses`` >> > > # option. >> > > # The default value is ''$confdir/classes.txt''. >> > > classfile = $vardir/classes.txt >> > >> > > # Where puppetd caches the local configuration. An >> > > # extension indicating the cache format is added automatically. >> > > # The default value is ''$confdir/localconfig''. >> > > localconfig = $vardir/localconfig >> > > runinterval = 120 >> > > #factsync = true >> > >> > > # These settings are necessary to enable plugin support via >> > > modules >> > > # Our custom facter facts rely on this >> > > pluginsync=true >> > > pluginsource = puppet://$server/plugins >> > > plugindest = $vardir/lib >> > > factpath = $vardir/lib/facter >> > > factdest = $vardir/lib/facter >> > >> > > [puppetmasterd] >> > > modulepath = /var/lib/puppet/modules >> > > certname = puppet >> > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---