For posterity''s sake I''ve resolved this. What looks to have
happened
is the certs were signed and the puppet master used its host name,
rather than the VIP/Hostname pair that would fail between the nodes. I
had to recreate the ca, and certs. Then on the hosts had to clear out
all their certs and ca data and have then recreate. Things seem to
work from there fine.
On Feb 6, 11:20 am, Len <lrsm...@gmail.com> wrote:> I am working on setting up a Puppet configuration where some of the
> data is stored on a DRBD volume. The modules and vardir are stored on
> the drbd volume. The puppet.conf files point to the drbd volume for
> vardir. I created a cert for a VIP puppet-master using the puppetca --
> create command
>
> I had everything working on the primary drbd node, but when I fail
> over, everything starts up fine, but I get a passenger error about
> certs from the client.
>
> <dt>Error message:</dt>
> <dd>Could not run: Retrieved certificate does not
match private key;
> please remove certificate from server and regenerate it with the
> current key
>
> # SW Versions
>
> puppet 2.6, with Passenger and Apache Http
> CentOS 5.6
>
> # puppet.conf
>
> [main]
> # The Puppet log directory.
> # The default value is ''$vardir/log''.
> logdir = /var/log/puppet
>
> # Where Puppet PID files are kept.
> # The default value is ''$vardir/run''.
> rundir = /var/run/puppet
>
> # Where SSL certificates are kept.
> # The default value is ''$confdir/ssl''.
> ssldir = /drbd01/puppet/var/lib/puppet/ssl
> vardir = /drbd01/puppet/var/lib/puppet
>
> modulepath=/drbd01/puppet/modules
>
> [agent]
> # The file in which puppetd stores a list of the classes
> # associated with the retrieved configuratiion. Can be loaded in
> # the separate ``puppet`` executable using the ``--loadclasses``
> # option.
> # The default value is ''$confdir/classes.txt''.
> classfile = $vardir/classes.txt
>
> # Where puppetd caches the local configuration. An
> # extension indicating the cache format is added automatically.
> # The default value is ''$confdir/localconfig''.
> localconfig = $vardir/localconfig
>
> [master]
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> ## /etc/http/conf.d/puppetmasterd.conf
>
> PassengerHighPerformance on
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> # PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
>
> Listen 8140
> <VirtualHost *:8140>
>
> ServerName puppetmaster.foo.bar
> LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/
> passenger-2.2.11/ext/apache2/mod_passenger.so
> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
> PassengerRuby /usr/bin/ruby
>
> CustomLog "/var/log/httpd/puppet_access_log" common
> ErrorLog "/var/log/httpd/puppet_error_log"
>
> SSLEngine on
> SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
> SSLCertificateFile /drbd01/puppet/var/lib/puppet/ssl/certs/
> puppetmaster.foo.bar.pem
> SSLCertificateKeyFile /drbd01/puppet/var/lib/puppet/ssl/
> private_keys/puppetmaster.foo.bar.pem
> SSLCertificateChainFile /drbd01/puppet/var/lib/puppet/ssl/ca/
> ca_crt.pem
> SSLCACertificateFile /drbd01/puppet/var/lib/puppet/ssl/ca/
> ca_crt.pem
> # CRL checking should be enabled; if you have problems with Apache
> complaining about the CRL, disable the nex
> t line
> # SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> # The following client headers allow the same configuration to
> work with Pound.
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> RackAutoDetect On
> DocumentRoot /drbd01/puppet/rack/puppetmasterd/public/
> <Directory /drbd01/puppet/rack/puppetmasterd/>
> Options None
> Options -Multiviews
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
> </VirtualHost>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.