On Fri, Nov 6, 2009 at 4:49 PM, Paul Lathrop <p...@tertiusfamily.net> wrote: > Hi guys, > > Really could use some help with the way Puppet uses SSL. In my > environment, I need to have 2 puppetmasters. One of them is > responsible for passing out configurations to production machines, the > second one is responsible for passing out configurations to > development machines. When new systems are built, they have a default > puppet.conf which points them at the production puppetmaster. They > retrieve their config, which includes a puppet.conf that makes sure > they are pointed at the appropriate puppetmaster. I have 3 > requirements in this setup. > > 1) I cannot be generating SSL certs by hand. Autosign is a must. > 2) The development puppetmaster has to function as a client of the > production puppetmaster. > 3) Nodes which switch from the production puppetmaster to the > development puppetmaster must continue functioning without SSL > complaining. > > In 0.24.8 I did this, but it was basically opaque magic to me. I > simply copied over /var/lib/puppet/ssl from the one puppetmaster to > the other before starting any of the puppet daemons, and this worked > out happily. > > Now, as I try to set up new 0.25.1 puppetmasters, this is no longer working. > > I copied the /var/lib/puppet/ssl/ca directory from my original 0.24.8 > puppetmaster, and all my 0.24.8 clients happily switched to the new > 0.25.1 puppetmaster. That part was easy. However, nothing I can do > will convince the second 0.25.1 puppetmaster to work as outlined in > the requirements list above. > > I've consulted the IRC channel, and learned much about SSL, all to no avail. > > Happy to provide config files as needed to help me figure this out. > > --Paul > > P.S. I would love to buy support for this, but that decision isn't up > to me at the moment.
I just wanted to follow up and let you guys know how I handled this (with help from Luke). First, I set up the production puppetmaster. Once the production puppetmaster was running correctly and serving clients, I used puppetca --certdnsnames "<insert names here>" --generate to generate the signed cert/key files for the development puppetmaster. These ended up under $ssldir for me, so I had to copy them out of there to the development puppetmaster. On the development puppetmaster I started with a clean $ssldir with nothing in it except the CA cert and the signed cert/key files I generated above (in their proper subdirectories). I put ca = false in puppet.conf, and started the development puppetmaster. Finally, on clients, I set ca_server = <production_puppetmaster> This works well for me. --Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
