HI all, I am currently setting up a HA devops configuration using puppet. I want to be able to run a single puppet master as the CA and the rest act as peering puppet masters. I have each puppet master running on passenger and I am proxying the SSL requests to the CA server following: http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic http://docs.puppetlabs.com/guides/passenger.html as a reference. Watching the access.log on each master, when an agent requests a cert from a puppetmaster that is *not* the CA, I can see the request forwarded: (below) .4 is the agent .3 us the master proxying the request puppetca is the acting CA for all masters *Here is the what logs in access.log for the puppetmaster that is NOT the CA.* ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-" *Here is what logs in the master which IS the CA* puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 588 "-" "-" *Here is what I am receiving on the Agents end.* warning: peer certificate won''t be verified in this SSL session err: Could not request certificate: No content type in http response; cannot parse Attached are the config files for the vhost for the masters, labeled CA and NONCA. Also attached are the config.ru for the rack app and httpd.conf whre the proxy balancer is specified. Any help is appreciated. I just started debugging but feedback is appreciated if anyone has ideas. -r -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dbVNeQUD-dIJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner <wallnerryan@gmail.com> wrote:> HI all, > > I am currently setting up a HA devops configuration using puppet. I want > to be able to run a single puppet master as the CA and the rest act as > peering puppet masters. I have each puppet master running on passenger and > I am proxying the SSL requests to the CA server following: > > http://docs.puppetlabs.com/**guides/scaling_multiple_** > masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic> > http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html> > > as a reference. > > Watching the access.log on each master, when an agent requests a cert from > a puppetmaster that is *not* the CA, I can see the request forwarded: > (below) > > .4 is the agent > .3 us the master proxying the request > puppetca is the acting CA for all masters >> *Here is the what logs in access.log for the puppetmaster that is NOT the > CA.* > ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET > /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-" > > *Here is what logs in the master which IS the CA* > puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 > 588 "-" "-" >I notice you''re running the CA on port 8140. Are you running the CA back-end using SSL? If so, you probably shouldn''t be. If you use TCP load balancing, then all of your back end workers will terminate the SSL connection. If, however, your load balancer terminates the SSL connection, then your back end workers need to deal with plaintext HTTP. I suspect the problem you''re running into is that the service forwarding the request to the CA is not using a SSL certificate. Alternatively, you could try changing BalancerMember http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140and see if that helps. (Note the https). -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff, I wound up not having SSLProxyEngine On specified in my vhost. I made the additional change to http to https in the load balancer and this worked as well. Though, now I am having trouble getting the actual certificate from the CA, I can see the agent send the REST call to GET /production/etc... but when it reaches the CA it is looking in /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I am receiving a file does not exist error in the logs. Which makes sense, but should''t this be look ing /var/lib/puppet (debian) or another directory. Ultimately I want to set this up on SUSE 11 SP2, but wanted to get a feel for the config. Thanks for you help, Ryan On Mon, Oct 29, 2012 at 12:15 PM, Jeff McCune <jeff@puppetlabs.com> wrote:> On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner <wallnerryan@gmail.com>wrote: > >> HI all, >> >> I am currently setting up a HA devops configuration using puppet. I want >> to be able to run a single puppet master as the CA and the rest act as >> peering puppet masters. I have each puppet master running on passenger and >> I am proxying the SSL requests to the CA server following: >> >> http://docs.puppetlabs.com/**guides/scaling_multiple_** >> masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic> >> http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html> >> >> as a reference. >> >> Watching the access.log on each master, when an agent requests a cert >> from a puppetmaster that is *not* the CA, I can see the >> request forwarded: (below) >> >> .4 is the agent >> .3 us the master proxying the request >> puppetca is the acting CA for all masters >> > >> *Here is the what logs in access.log for the puppetmaster that is NOT >> the CA.* >> ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] >> "GET /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-" >> >> *Here is what logs in the master which IS the CA* >> puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 >> 588 "-" "-" >> > > I notice you''re running the CA on port 8140. Are you running the CA > back-end using SSL? If so, you probably shouldn''t be. > > If you use TCP load balancing, then all of your back end workers will > terminate the SSL connection. If, however, your load balancer terminates > the SSL connection, then your back end workers need to deal with plaintext > HTTP. > > I suspect the problem you''re running into is that the service forwarding > the request to the CA is not using a SSL certificate. > > Alternatively, you could try changing BalancerMember > http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140and see if that helps. (Note the https). > > -Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- *<R> * *Ryan Wallner* *845.475.8684* *@RyanWallner** * *rweb.meteor.com* aucouranton.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Friday, November 2, 2012, ryan wallner wrote:> Jeff, > > I wound up not having SSLProxyEngine On specified in my vhost. I made the > additional change to http to https in the load balancer and this worked as > well. > > Though, now I am having trouble getting the actual certificate from the > CA, I can see the agent send the REST call to GET /production/etc... but > when it reaches the CA it is looking in > /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I > am receiving a file does not exist error in the logs. Which makes sense, > but should''t this be look ing /var/lib/puppet (debian) or another directory. >This sounds like the virtual host isn''t configured to route the request to passenger and is instead serving up the response itself. I''d review the passenger configuration settings. -Jeff>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Maybe Matching Threads
- ssl ofloading on amazon ELB for puppetmasters
- Puppetmaster setup with separate CA server configuration help
- [Bug 94374] New: transparent window with DRI_PRIME=1, depending on size of used textures
- multiple puppetmasters (w/ Passenger) behind load balancer
- Vmware guest can''t connect to puppetmaster on host