Hi Chris, Check out:
http://bodepd.com/wordpress/?p=7 this is my preferred way out setting up multiple puppetmasters with a shared CA. (Its a little better than the way described below since it allows you to add aliases to the second puppet master) On Fri, Jun 25, 2010 at 2:48 AM, Chris <sinl...@gmail.com> wrote: > Hi > > We have a development and a production puppetmaster instance and > would like to choose to which master a client connects whithout having > to worry/care to much about the certificates. > > The easiest setup seems to have one puppet-CA which is on the > production puppetmaster server. > > After experimenting and failing I found easy steps to follow here > (http://www.mail-archive.com/puppet-users@googlegroups.com/ > msg07570.html): > > 1. Start the production puppet master as usual. This will be your CA. > 2. In your development puppet master, set ca = false and ca_server = > production.hostname in puppet.conf in the puppetmasterd section. Also > set server = production.hostname in the puppetd section. > 3. In your development puppet master, run puppetd first! This is > needed to generate the certificates and request the CA to sign them. > If you start puppetmasterd first it will fail. > 4. Sign the development puppet master certificate on your production > puppet master or set autosign. > 5. Once the certificate is signed, re-run puppetd to verify. > 6. Start the development puppet master. > 7. In your development clients, set ca_server = production.hostname to > have the production puppet master sign their certificates since its > your only CA. > > I got stuck with step 6 puppet recreated a self signed CA-Certificate > no matter what values and in which section of puppet.con ([main] > [puppetmasterd] [puppetca]) I had the ca & ca_server values. > > This is the output from the development puppetmaster: > . > .. > ... > info: Creating a new SSL key for ca > /etc/puppet/ssl/certs/ca.pem > debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40 > UTC 2015 > /etc/puppet/ssl/certs/ca.pem > info: Expiring the certificate cache of ca > notice: Removing file Puppet::SSL::Certificate ca at '/etc/puppet/ssl/ > certs/ca.pem' > warning: Retrieved certificate does not match private key > info: Creating a new SSL certificate request for ca > notice: Signed certificate request for ca > notice: Rebuilding inventory file > > .. > . > And the development puppetmaster will always create a ssl/ca > directory. To me this makes no sense, since the production > puppetmaster is the CA. But maybe I'm missing something. > > If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem, > ca_pub.pem) below ssl/ca/ from the production server to the > development server after step 3. This setup works (probably because > the private key now matches the ca/certs/ca.pem created in step 3. > > > What am I doing wrong/What settings am I missing/Where should the > ca,ca_server settings go? Or is this a "recommended" way of doing it? > I'd be happy to document this somewhere if this has not been done (I > haven't found anything so far that lead me through this kind off setup > all the way) > > This is our production server puppet.conf > [produktion] > manifest = /etc/puppet/production/manifests/site.pp > > [integration] > manifest = /etc/puppet/integration/manifests/site.pp > > [test] > manifest = /etc/puppet/test/manifests/site.pp > > > > [puppetmasterd] > masterport = 7000 > server = puppetmaster.company.com > modulepath = /etc/puppet/modules > templatedir = /etc/puppet/templates > certname = puppetmaster.company.com > ca_port = 7000 > > > Development server: > [produktion] > manifest = /etc/puppet/production/manifests/site.pp > > [integration] > manifest = /etc/puppet/integration/manifests/site.pp > > [test] > manifest = /etc/puppet/test/manifests/site.pp > > [puppetmasterd] > masterport = 7000 > modulepath = /etc/puppet/modules > templatedir = /etc/puppet/templates > > # you seem to be missing the: ca=false > [puppetd] > pluginsync = true > factpath = $vardir/lib/facter > masterport = 7000 > server = puppetmaster.company.com > > Client: > [main] > ca_server = puppetmaster.company.com > ca_port = 7000 > > [puppetd] > pluginsync = true > factpath = $vardir/lib/facter > masterport = 7000 > server = puppetmaster.company.com > evaltrace = true > > > We are using puppet 0.25.4 > > > > > Thank you for helping me. > > > Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
