Hi
We have a development and a production puppetmaster instance and
would like to choose to which master a client connects whithout having
to worry/care to much about the certificates.
The easiest setup seems to have one puppet-CA which is on the
production puppetmaster server.
After experimenting and failing I found easy steps to follow here
(http://www.mail-archive.com/puppet-users@googlegroups.com/
msg07570.html):
1. Start the production puppet master as usual. This will be your CA.
2. In your development puppet master, set ca = false and ca_server
production.hostname in puppet.conf in the puppetmasterd section. Also
set server = production.hostname in the puppetd section.
3. In your development puppet master, run puppetd first! This is
needed to generate the certificates and request the CA to sign them.
If you start puppetmasterd first it will fail.
4. Sign the development puppet master certificate on your production
puppet master or set autosign.
5. Once the certificate is signed, re-run puppetd to verify.
6. Start the development puppet master.
7. In your development clients, set ca_server = production.hostname to
have the production puppet master sign their certificates since its
your only CA.
I got stuck with step 6 puppet recreated a self signed CA-Certificate
no matter what values and in which section of puppet.con ([main]
[puppetmasterd] [puppetca]) I had the ca & ca_server values.
This is the output from the development puppetmaster:
.
..
...
info: Creating a new SSL key for ca
/etc/puppet/ssl/certs/ca.pem
debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40
UTC 2015
/etc/puppet/ssl/certs/ca.pem
info: Expiring the certificate cache of ca
notice: Removing file Puppet::SSL::Certificate ca at ''/etc/puppet/ssl/
certs/ca.pem''
warning: Retrieved certificate does not match private key
info: Creating a new SSL certificate request for ca
notice: Signed certificate request for ca
notice: Rebuilding inventory file
..
.
And the development puppetmaster will always create a ssl/ca
directory. To me this makes no sense, since the production
puppetmaster is the CA. But maybe I''m missing something.
If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem,
ca_pub.pem) below ssl/ca/ from the production server to the
development server after step 3. This setup works (probably because
the private key now matches the ca/certs/ca.pem created in step 3.
What am I doing wrong/What settings am I missing/Where should the
ca,ca_server settings go? Or is this a "recommended" way of doing it?
I''d be happy to document this somewhere if this has not been done (I
haven''t found anything so far that lead me through this kind off setup
all the way)
This is our production server puppet.conf
[produktion]
manifest = /etc/puppet/production/manifests/site.pp
[integration]
manifest = /etc/puppet/integration/manifests/site.pp
[test]
manifest = /etc/puppet/test/manifests/site.pp
[puppetmasterd]
masterport = 7000
server = puppetmaster.company.com
modulepath = /etc/puppet/modules
templatedir = /etc/puppet/templates
certname = puppetmaster.company.com
ca_port = 7000
Development server:
[produktion]
manifest = /etc/puppet/production/manifests/site.pp
[integration]
manifest = /etc/puppet/integration/manifests/site.pp
[test]
manifest = /etc/puppet/test/manifests/site.pp
[puppetmasterd]
masterport = 7000
modulepath = /etc/puppet/modules
templatedir = /etc/puppet/templates
[puppetd]
pluginsync = true
factpath = $vardir/lib/facter
masterport = 7000
server = puppetmaster.company.com
Client:
[main]
ca_server = puppetmaster.company.com
ca_port = 7000
[puppetd]
pluginsync = true
factpath = $vardir/lib/facter
masterport = 7000
server = puppetmaster.company.com
evaltrace = true
We are using puppet 0.25.4
Thank you for helping me.
Chris
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2010-Jun-25 15:08 UTC
Re: [Puppet Users] Struggling with 1 client & 2 puppetmasters
Hi Chris, Check out: http://bodepd.com/wordpress/?p=7 this is my preferred way out setting up multiple puppetmasters with a shared CA. (Its a little better than the way described below since it allows you to add aliases to the second puppet master) On Fri, Jun 25, 2010 at 2:48 AM, Chris <sinloft@gmail.com> wrote:> Hi > > We have a development and a production puppetmaster instance and > would like to choose to which master a client connects whithout having > to worry/care to much about the certificates. > > The easiest setup seems to have one puppet-CA which is on the > production puppetmaster server. > > After experimenting and failing I found easy steps to follow here > (http://www.mail-archive.com/puppet-users@googlegroups.com/ > msg07570.html): > > 1. Start the production puppet master as usual. This will be your CA. > 2. In your development puppet master, set ca = false and ca_server > production.hostname in puppet.conf in the puppetmasterd section. Also > set server = production.hostname in the puppetd section. > 3. In your development puppet master, run puppetd first! This is > needed to generate the certificates and request the CA to sign them. > If you start puppetmasterd first it will fail. > 4. Sign the development puppet master certificate on your production > puppet master or set autosign. > 5. Once the certificate is signed, re-run puppetd to verify. > 6. Start the development puppet master. > 7. In your development clients, set ca_server = production.hostname to > have the production puppet master sign their certificates since its > your only CA. > > I got stuck with step 6 puppet recreated a self signed CA-Certificate > no matter what values and in which section of puppet.con ([main] > [puppetmasterd] [puppetca]) I had the ca & ca_server values. > > This is the output from the development puppetmaster: > . > .. > ... > info: Creating a new SSL key for ca > /etc/puppet/ssl/certs/ca.pem > debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40 > UTC 2015 > /etc/puppet/ssl/certs/ca.pem > info: Expiring the certificate cache of ca > notice: Removing file Puppet::SSL::Certificate ca at ''/etc/puppet/ssl/ > certs/ca.pem'' > warning: Retrieved certificate does not match private key > info: Creating a new SSL certificate request for ca > notice: Signed certificate request for ca > notice: Rebuilding inventory file > > .. > . > And the development puppetmaster will always create a ssl/ca > directory. To me this makes no sense, since the production > puppetmaster is the CA. But maybe I''m missing something. > > If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem, > ca_pub.pem) below ssl/ca/ from the production server to the > development server after step 3. This setup works (probably because > the private key now matches the ca/certs/ca.pem created in step 3. > > > What am I doing wrong/What settings am I missing/Where should the > ca,ca_server settings go? Or is this a "recommended" way of doing it? > I''d be happy to document this somewhere if this has not been done (I > haven''t found anything so far that lead me through this kind off setup > all the way) > > This is our production server puppet.conf > [produktion] > manifest = /etc/puppet/production/manifests/site.pp > > [integration] > manifest = /etc/puppet/integration/manifests/site.pp > > [test] > manifest = /etc/puppet/test/manifests/site.pp > > > > [puppetmasterd] > masterport = 7000 > server = puppetmaster.company.com > modulepath = /etc/puppet/modules > templatedir = /etc/puppet/templates > certname = puppetmaster.company.com > ca_port = 7000 > > > Development server: > [produktion] > manifest = /etc/puppet/production/manifests/site.pp > > [integration] > manifest = /etc/puppet/integration/manifests/site.pp > > [test] > manifest = /etc/puppet/test/manifests/site.pp > > [puppetmasterd] > masterport = 7000 > modulepath = /etc/puppet/modules > templatedir = /etc/puppet/templates > > # you seem to be missing the:ca=false> [puppetd] > pluginsync = true > factpath = $vardir/lib/facter > masterport = 7000 > server = puppetmaster.company.com > > Client: > [main] > ca_server = puppetmaster.company.com > ca_port = 7000 > > [puppetd] > pluginsync = true > factpath = $vardir/lib/facter > masterport = 7000 > server = puppetmaster.company.com > evaltrace = true > > > We are using puppet 0.25.4 > > > > > Thank you for helping me. > > > Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Dan Thank you for your reply. I did experiment with having the ca = false parameter in the config file it just didn''t appear to have an effect. But maybe I missed that since I have been trying all sorts of different configuration options. I''ll check that when I''m back at the office on monday. Your blog post will certainly help me in verfiying our setup. Chris On 25 Jun., 17:08, Dan Bode <d...@puppetlabs.com> wrote:> Hi Chris, > > Check out: > > http://bodepd.com/wordpress/?p=7 > > this is my preferred way out setting up multiple puppetmasters with a shared > CA. (Its a little better than the way described below since it allows you to > add aliases to the second puppet master) > > > > On Fri, Jun 25, 2010 at 2:48 AM, Chris <sinl...@gmail.com> wrote: > > Hi > > > We have a development and a production puppetmaster instance and > > would like to choose to which master a client connects whithout having > > to worry/care to much about the certificates. > > > The easiest setup seems to have one puppet-CA which is on the > > production puppetmaster server. > > > After experimenting and failing I found easy steps to follow here > > (http://www.mail-archive.com/puppet-users@googlegroups.com/ > > msg07570.html): > > > 1. Start the production puppet master as usual. This will be your CA. > > 2. In your development puppet master, set ca = false and ca_server > > production.hostname in puppet.conf in the puppetmasterd section. Also > > set server = production.hostname in the puppetd section. > > 3. In your development puppet master, run puppetd first! This is > > needed to generate the certificates and request the CA to sign them. > > If you start puppetmasterd first it will fail. > > 4. Sign the development puppet master certificate on your production > > puppet master or set autosign. > > 5. Once the certificate is signed, re-run puppetd to verify. > > 6. Start the development puppet master. > > 7. In your development clients, set ca_server = production.hostname to > > have the production puppet master sign their certificates since its > > your only CA. > > > I got stuck with step 6 puppet recreated a self signed CA-Certificate > > no matter what values and in which section of puppet.con ([main] > > [puppetmasterd] [puppetca]) I had the ca & ca_server values. > > > This is the output from the development puppetmaster: > > . > > .. > > ... > > info: Creating a new SSL key for ca > > /etc/puppet/ssl/certs/ca.pem > > debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40 > > UTC 2015 > > /etc/puppet/ssl/certs/ca.pem > > info: Expiring the certificate cache of ca > > notice: Removing file Puppet::SSL::Certificate ca at ''/etc/puppet/ssl/ > > certs/ca.pem'' > > warning: Retrieved certificate does not match private key > > info: Creating a new SSL certificate request for ca > > notice: Signed certificate request for ca > > notice: Rebuilding inventory file > > > .. > > . > > And the development puppetmaster will always create a ssl/ca > > directory. To me this makes no sense, since the production > > puppetmaster is the CA. But maybe I''m missing something. > > > If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem, > > ca_pub.pem) below ssl/ca/ from the production server to the > > development server after step 3. This setup works (probably because > > the private key now matches the ca/certs/ca.pem created in step 3. > > > What am I doing wrong/What settings am I missing/Where should the > > ca,ca_server settings go? Or is this a "recommended" way of doing it? > > I''d be happy to document this somewhere if this has not been done (I > > haven''t found anything so far that lead me through this kind off setup > > all the way) > > > This is our production server puppet.conf > > [produktion] > > manifest = /etc/puppet/production/manifests/site.pp > > > [integration] > > manifest = /etc/puppet/integration/manifests/site.pp > > > [test] > > manifest = /etc/puppet/test/manifests/site.pp > > > [puppetmasterd] > > masterport = 7000 > > server = puppetmaster.company.com > > modulepath = /etc/puppet/modules > > templatedir = /etc/puppet/templates > > certname = puppetmaster.company.com > > ca_port = 7000 > > > Development server: > > [produktion] > > manifest = /etc/puppet/production/manifests/site.pp > > > [integration] > > manifest = /etc/puppet/integration/manifests/site.pp > > > [test] > > manifest = /etc/puppet/test/manifests/site.pp > > > [puppetmasterd] > > masterport = 7000 > > modulepath = /etc/puppet/modules > > templatedir = /etc/puppet/templates > > > # you seem to be missing the: > > ca=false > > > [puppetd] > > pluginsync = true > > factpath = $vardir/lib/facter > > masterport = 7000 > > server = puppetmaster.company.com > > > Client: > > [main] > > ca_server = puppetmaster.company.com > > ca_port = 7000 > > > [puppetd] > > pluginsync = true > > factpath = $vardir/lib/facter > > masterport = 7000 > > server = puppetmaster.company.com > > evaltrace = true > > > We are using puppet 0.25.4 > > > Thank you for helping me. > > > Chris > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alex Howells
2010-Jun-29 15:13 UTC
Re: [Puppet Users] Struggling with 1 client & 2 puppetmasters
Hi Dan> http://bodepd.com/wordpress/?p=7 > > this is my preferred way out setting up multiple puppetmasters with a shared > CA. (Its a little better than the way described below since it allows you to > add aliases to the second puppet master)How do you do that with high availability? Consider the following setup... puppetca puppetmaster1 puppetmaster2 client1 client2 client3 client4 client5 Having to have ''puppetca'' online in order to add new puppetmaster boxes would be acceptable, even having it online to add new clients would be fine, however the ability to actually operate without it should be possible -- does the setup outlined on your blog work in such a manner? Many thanks for sharing in any case. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2010-Jun-29 16:11 UTC
Re: [Puppet Users] Struggling with 1 client & 2 puppetmasters
On Tue, Jun 29, 2010 at 8:13 AM, Alex Howells <lists@howells.me> wrote:> Hi Dan > > > http://bodepd.com/wordpress/?p=7 > > > > this is my preferred way out setting up multiple puppetmasters with a > shared > > CA. (Its a little better than the way described below since it allows you > to > > add aliases to the second puppet master) > > How do you do that with high availability? Consider the following setup... > > puppetca > > puppetmaster1 puppetmaster2 > > client1 client2 client3 client4 client5 > > Having to have ''puppetca'' online in order to add new puppetmaster > boxes would be acceptable, even having it online to add new clients > would be fine, however the ability to actually operate without it > should be possible -- does the setup outlined on your blog work in > such a manner? >Its not possible to operate without certificates. People have used an external CA to sign puppetca''s certificate (although there were some problems with revocation list on chained certificates on 0.25.5)> > Many thanks for sharing in any case. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.