I''m getting errors when following this webpage to setup a second
puppetmaster (pm2) while using pm1 as the CA:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#centralize-the-certificate-authority
and I''m using option 1: Direct agent nodes to the CA Master
As far as I can tell, if I set ca_server to pm1 but change server to pm2,
everything should work.
ca_server = pm1.blah.com
server = pm2.blah.com
However when I do that I get the following error:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [self signed certificate in certificate chain
for /CN=Puppet CA: pm2.blah.com]
I should add that pm2 works properly on it''s own if I register my agent
with pm2. Also, pm2''s SSL certificate was setup independently of pm1.
So what bit of configuration am I missing? Are my PMs supposed to have the
same SSL keys?
puppet 3.0.1
node command: puppet agent -t
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
RESOLVED
The multi-puppetmaster-single-CA documentation is complete but a bit
scattered. Here the short list of what I needed to do for puppetmasters
running apache-passenger.
pm1 = CA
pm2 = non-CA puppetmaster
- needs to reference pm1 as the ca_server
- disable local ca in [master]
- get a cert signed by pm1
- setup passenger as non-CA
- restart httpd
Agents
- ca_server points to pm1
pm2: puppet.conf
[main]
ca_server = pm1
[master]
ca = false
pm2: /etc/httpd/conf.d/puppetmaster.conf
Follow the instructions on
http://docs.puppetlabs.com/guides/passenger.html
Including the part about non-CA
- I missed this part because we setup passenger months ago
- There''s no cross-reference to it on the multi-puppetmaster page
Next follow:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#before-running-puppet-agent-or-puppet-master
These instructions apply to PM2, the non-CA puppetmaster
And finally, restart apache-passenger (service httpd restart)
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.