I have multiple masters (40+) that reside in remote locations, I want to have them send puppet inventory data to a central inventory with mysql. Once the data is there I would like puppet dashboard installation use that data. I have not been able to get the remote masters to send their data back to the central server. I keep getting an error: err: Could not retrieve catalog from remote server: Error 400 on eth0: certificate verify failed. This is often because the time is out of sync on the server or client On the remote inventory server node I am seeing an SSL error, SSL is being used to authenticate the nodes in order to send the inventory data to the remote inventory server? -Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Puppet dev can help? I modified auth.conf and it did not seem to help. On Tue, Jan 3, 2012 at 1:54 PM, Christopher Johnston <chjohnst@gmail.com>wrote:> I have multiple masters (40+) that reside in remote locations, I want to > have them send puppet inventory data to a central inventory with mysql. > Once the data is there I would like puppet dashboard installation use that > data. I have not been able to get the remote masters to send their data > back to the central server. > > I keep getting an error: > > err: Could not retrieve catalog from remote server: Error 400 on eth0: > certificate verify failed. This is often because the time is out of sync > on the server or client > > On the remote inventory server node I am seeing an SSL error, SSL is being > used to authenticate the nodes in order to send the inventory data to the > remote inventory server? > > -Chris >-- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
On Tue, Jan 3, 2012 at 10:54 AM, Christopher Johnston <chjohnst@gmail.com> wrote:> I have multiple masters (40+) that reside in remote locations, I want to > have them send puppet inventory data to a central inventory with mysql. > Once the data is there I would like puppet dashboard installation use that > data. I have not been able to get the remote masters to send their data > back to the central server. > > I keep getting an error: > > err: Could not retrieve catalog from remote server: Error 400 on eth0: > certificate verify failed. This is often because the time is out of sync on > the server or client > > On the remote inventory server node I am seeing an SSL error, SSL is being > used to authenticate the nodes in order to send the inventory data to the > remote inventory server?Is the inventory server certificate sign by the same CA as the remote masters? puppet cert -p inventory_server_cert ... Issuer: CN=Puppet CA ... puppet master --configprint certname puppet_master_cert puppet cert -p puppet_master_cert ... Issuer: CN=Puppet CA ... The puppet_master_cert listed above should be in auth.conf as specified in this doc: http://docs.puppetlabs.com/pe/1.2/upgrading.html Specifically: # Allow puppet master to save facts to the inventory: path /facts auth yes method save allow <puppet master''s certname> Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
So in my auth.conf I have this currently (below), which I think is supposed to say allow any traffic in from any master I guess I could put those hostnames in for the puppet hosts with something like puppet*.company.com. Do I require SSL auth here? I am just sending inventory information to a designated node which is mostly being used for RO (informational) data so security is not as critical. If it is a requirement that I have a signed CA, that could be an issue as I have two puppet masters in each datacenter that has its own shared CA across those two puppet masters only (certname = puppet). I don''t have one signed CA that every master is using. path /facts auth any method save allow * On Wed, Jan 4, 2012 at 12:36 PM, Nan Liu <nan@puppetlabs.com> wrote:> On Tue, Jan 3, 2012 at 10:54 AM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > I have multiple masters (40+) that reside in remote locations, I want to > > have them send puppet inventory data to a central inventory with mysql. > > Once the data is there I would like puppet dashboard installation use > that > > data. I have not been able to get the remote masters to send their data > > back to the central server. > > > > I keep getting an error: > > > > err: Could not retrieve catalog from remote server: Error 400 on eth0: > > certificate verify failed. This is often because the time is out of > sync on > > the server or client > > > > On the remote inventory server node I am seeing an SSL error, SSL is > being > > used to authenticate the nodes in order to send the inventory data to the > > remote inventory server? > > Is the inventory server certificate sign by the same CA as the remote > masters? > > puppet cert -p inventory_server_cert > ... > Issuer: CN=Puppet CA ... > > puppet master --configprint certname > puppet_master_cert > puppet cert -p puppet_master_cert > ... > Issuer: CN=Puppet CA ... > > The puppet_master_cert listed above should be in auth.conf as > specified in this doc: > http://docs.puppetlabs.com/pe/1.2/upgrading.html > > Specifically: > # Allow puppet master to save facts to the inventory: > path /facts > auth yes > method save > allow <puppet master''s certname> > > Thanks, > > Nan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Jan 4, 2012 at 11:31 AM, Christopher Johnston <chjohnst@gmail.com> wrote:> If it is a requirement that I have a signed CA, that could be an issue as I > have two puppet masters in each datacenter that has its own shared CA across > those two puppet masters only (certname = puppet). I don''t have one signed > CA that every master is using.You don''t need a signed CA, but rather the two servers certs are signed by the same CA, which is the reason for verifying issuer match. If your inventory server is also a puppet master, might be easier to get that system working first before trying a remote puppet master. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
My inventory server is a puppetmaster, but its master of itself and is only being using for inventory services. If I point new clients to it will work fine. So think of my setup like this: puppet1.company.com and puppet2.company.com are two dedicated servers in each datacenter that handle local client connectivity only. By using certname=puppet I can copy the same CA to puppet2.company.com and support failing over if the primary server goes down. This setup is mimic''ed in about 20 other sites. The inventory server is a remote puppet master sitting in a backoffice datacenter that is setup with mysql and puppet dashboard to receive reports and inventory services from all 40 of the masters. So with this current arrangement how would I go about making sure the inventory server has a cert that is signed by the 40 other CAs. On Wed, Jan 4, 2012 at 2:55 PM, Nan Liu <nan@puppetlabs.com> wrote:> On Wed, Jan 4, 2012 at 11:31 AM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > If it is a requirement that I have a signed CA, that could be an issue > as I > > have two puppet masters in each datacenter that has its own shared CA > across > > those two puppet masters only (certname = puppet). I don''t have one > signed > > CA that every master is using. > > You don''t need a signed CA, but rather the two servers certs are > signed by the same CA, which is the reason for verifying issuer match. > If your inventory server is also a puppet master, might be easier to > get that system working first before trying a remote puppet master. > > Thanks, > > Nan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Jan 4, 2012 at 12:12 PM, Christopher Johnston <chjohnst@gmail.com> wrote:> My inventory server is a puppetmaster, but its master of itself and is only > being using for inventory services. If I point new clients to it will work > fine. > > So think of my setup like this: > > puppet1.company.com and puppet2.company.com are two dedicated servers in > each datacenter that handle local client connectivity only. By using > certname=puppet I can copy the same CA to puppet2.company.com and support > failing over if the primary server goes down. This setup is mimic''ed in > about 20 other sites. > > The inventory server is a remote puppet master sitting in a backoffice > datacenter that is setup with mysql and puppet dashboard to receive reports > and inventory services from all 40 of the masters. > > So with this current arrangement how would I go about making sure the > inventory server has a cert that is signed by the 40 other CAs.Certificate chain is an outstanding bug, so at the moment one CA sign all puppet master + inventory server cert. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
That could get ugly, so I would have to create one CA, sign it then distribute it to all of my masters. Then also delete my certs on the clients and re-issue new ones. Is my thinking correct here? -Chris On Wed, Jan 4, 2012 at 3:31 PM, Nan Liu <nan@puppetlabs.com> wrote:> On Wed, Jan 4, 2012 at 12:12 PM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > My inventory server is a puppetmaster, but its master of itself and is > only > > being using for inventory services. If I point new clients to it will > work > > fine. > > > > So think of my setup like this: > > > > puppet1.company.com and puppet2.company.com are two dedicated servers in > > each datacenter that handle local client connectivity only. By using > > certname=puppet I can copy the same CA to puppet2.company.com and > support > > failing over if the primary server goes down. This setup is mimic''ed in > > about 20 other sites. > > > > The inventory server is a remote puppet master sitting in a backoffice > > datacenter that is setup with mysql and puppet dashboard to receive > reports > > and inventory services from all 40 of the masters. > > > > So with this current arrangement how would I go about making sure the > > inventory server has a cert that is signed by the 40 other CAs. > > Certificate chain is an outstanding bug, so at the moment one CA sign > all puppet master + inventory server cert. > > Nan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
The way I''ve done it in the past is that you have one Puppet instance dedicated to the initial Puppet run.. It handles the CA plus farms out a puppet.conf which contains the local server info. The main issue I found is that Puppet doesn''t seem to change masters without a restart even though it says that it has re-read the config file, so I got around it by doing a small Puppet run that only signs the cert and distributes the puppet.conf in the finish script of the OS install, then once the host rebooted that it found its correct Puppet server and then continues the upgrade from there. It can mean the CA-owning Puppet master only ever gets used on the initial install but maybe it can be used more with multiple environments - say build and production? Greg On Jan 5, 7:44 am, Christopher Johnston <chjoh...@gmail.com> wrote:> That could get ugly, so I would have to create one CA, sign it then > distribute it to all of my masters. Then also delete my certs on the > clients and re-issue new ones. > > Is my thinking correct here? > > -Chris > > > > > > > > On Wed, Jan 4, 2012 at 3:31 PM, Nan Liu <n...@puppetlabs.com> wrote: > > On Wed, Jan 4, 2012 at 12:12 PM, Christopher Johnston > > <chjoh...@gmail.com> wrote: > > > My inventory server is a puppetmaster, but its master of itself and is > > only > > > being using for inventory services. If I point new clients to it will > > work > > > fine. > > > > So think of my setup like this: > > > > puppet1.company.com and puppet2.company.com are two dedicated servers in > > > each datacenter that handle local client connectivity only. By using > > > certname=puppet I can copy the same CA to puppet2.company.com and > > support > > > failing over if the primary server goes down. This setup is mimic''ed in > > > about 20 other sites. > > > > The inventory server is a remote puppet master sitting in a backoffice > > > datacenter that is setup with mysql and puppet dashboard to receive > > reports > > > and inventory services from all 40 of the masters. > > > > So with this current arrangement how would I go about making sure the > > > inventory server has a cert that is signed by the 40 other CAs. > > > Certificate chain is an outstanding bug, so at the moment one CA sign > > all puppet master + inventory server cert. > > > Nan > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.