Hi We have a development and a production puppetmaster instance and would like to choose to which master a client connects whithout having to worry/care to much about the certificates.
The easiest setup seems to have one puppet-CA which is on the production puppetmaster server. After experimenting and failing I found easy steps to follow here (http://www.mail-archive.com/puppet-users@googlegroups.com/ msg07570.html): 1. Start the production puppet master as usual. This will be your CA. 2. In your development puppet master, set ca = false and ca_server = production.hostname in puppet.conf in the puppetmasterd section. Also set server = production.hostname in the puppetd section. 3. In your development puppet master, run puppetd first! This is needed to generate the certificates and request the CA to sign them. If you start puppetmasterd first it will fail. 4. Sign the development puppet master certificate on your production puppet master or set autosign. 5. Once the certificate is signed, re-run puppetd to verify. 6. Start the development puppet master. 7. In your development clients, set ca_server = production.hostname to have the production puppet master sign their certificates since its your only CA. I got stuck with step 6 puppet recreated a self signed CA-Certificate no matter what values and in which section of puppet.con ([main] [puppetmasterd] [puppetca]) I had the ca & ca_server values. This is the output from the development puppetmaster: . .. ... info: Creating a new SSL key for ca /etc/puppet/ssl/certs/ca.pem debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40 UTC 2015 /etc/puppet/ssl/certs/ca.pem info: Expiring the certificate cache of ca notice: Removing file Puppet::SSL::Certificate ca at '/etc/puppet/ssl/ certs/ca.pem' warning: Retrieved certificate does not match private key info: Creating a new SSL certificate request for ca notice: Signed certificate request for ca notice: Rebuilding inventory file .. . And the development puppetmaster will always create a ssl/ca directory. To me this makes no sense, since the production puppetmaster is the CA. But maybe I'm missing something. If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem, ca_pub.pem) below ssl/ca/ from the production server to the development server after step 3. This setup works (probably because the private key now matches the ca/certs/ca.pem created in step 3. What am I doing wrong/What settings am I missing/Where should the ca,ca_server settings go? Or is this a "recommended" way of doing it? I'd be happy to document this somewhere if this has not been done (I haven't found anything so far that lead me through this kind off setup all the way) This is our production server puppet.conf [produktion] manifest = /etc/puppet/production/manifests/site.pp [integration] manifest = /etc/puppet/integration/manifests/site.pp [test] manifest = /etc/puppet/test/manifests/site.pp [puppetmasterd] masterport = 7000 server = puppetmaster.company.com modulepath = /etc/puppet/modules templatedir = /etc/puppet/templates certname = puppetmaster.company.com ca_port = 7000 Development server: [produktion] manifest = /etc/puppet/production/manifests/site.pp [integration] manifest = /etc/puppet/integration/manifests/site.pp [test] manifest = /etc/puppet/test/manifests/site.pp [puppetmasterd] masterport = 7000 modulepath = /etc/puppet/modules templatedir = /etc/puppet/templates [puppetd] pluginsync = true factpath = $vardir/lib/facter masterport = 7000 server = puppetmaster.company.com Client: [main] ca_server = puppetmaster.company.com ca_port = 7000 [puppetd] pluginsync = true factpath = $vardir/lib/facter masterport = 7000 server = puppetmaster.company.com evaltrace = true We are using puppet 0.25.4 Thank you for helping me. Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
