Hi Dan Thank you for your reply. I did experiment with having the ca = false parameter in the config file it just didn't appear to have an effect. But maybe I missed that since I have been trying all sorts of different configuration options. I'll check that when I'm back at the office on monday. Your blog post will certainly help me in verfiying our setup.
Chris On 25 Jun., 17:08, Dan Bode <d...@puppetlabs.com> wrote: > Hi Chris, > > Check out: > > http://bodepd.com/wordpress/?p=7 > > this is my preferred way out setting up multiple puppetmasters with a shared > CA. (Its a little better than the way described below since it allows you to > add aliases to the second puppet master) > > > > On Fri, Jun 25, 2010 at 2:48 AM, Chris <sinl...@gmail.com> wrote: > > Hi > > > We have a development and a production puppetmaster instance and > > would like to choose to which master a client connects whithout having > > to worry/care to much about the certificates. > > > The easiest setup seems to have one puppet-CA which is on the > > production puppetmaster server. > > > After experimenting and failing I found easy steps to follow here > > (http://www.mail-archive.com/puppet-users@googlegroups.com/ > > msg07570.html): > > > 1. Start the production puppet master as usual. This will be your CA. > > 2. In your development puppet master, set ca = false and ca_server = > > production.hostname in puppet.conf in the puppetmasterd section. Also > > set server = production.hostname in the puppetd section. > > 3. In your development puppet master, run puppetd first! This is > > needed to generate the certificates and request the CA to sign them. > > If you start puppetmasterd first it will fail. > > 4. Sign the development puppet master certificate on your production > > puppet master or set autosign. > > 5. Once the certificate is signed, re-run puppetd to verify. > > 6. Start the development puppet master. > > 7. In your development clients, set ca_server = production.hostname to > > have the production puppet master sign their certificates since its > > your only CA. > > > I got stuck with step 6 puppet recreated a self signed CA-Certificate > > no matter what values and in which section of puppet.con ([main] > > [puppetmasterd] [puppetca]) I had the ca & ca_server values. > > > This is the output from the development puppetmaster: > > . > > .. > > ... > > info: Creating a new SSL key for ca > > /etc/puppet/ssl/certs/ca.pem > > debug: Using cached certificate for ca, good until Fri Mar 20 09:59:40 > > UTC 2015 > > /etc/puppet/ssl/certs/ca.pem > > info: Expiring the certificate cache of ca > > notice: Removing file Puppet::SSL::Certificate ca at '/etc/puppet/ssl/ > > certs/ca.pem' > > warning: Retrieved certificate does not match private key > > info: Creating a new SSL certificate request for ca > > notice: Signed certificate request for ca > > notice: Rebuilding inventory file > > > .. > > . > > And the development puppetmaster will always create a ssl/ca > > directory. To me this makes no sense, since the production > > puppetmaster is the CA. But maybe I'm missing something. > > > If I copy the pem files (ca_crl.pem, ca_key.pem, ca_crt.pem, > > ca_pub.pem) below ssl/ca/ from the production server to the > > development server after step 3. This setup works (probably because > > the private key now matches the ca/certs/ca.pem created in step 3. > > > What am I doing wrong/What settings am I missing/Where should the > > ca,ca_server settings go? Or is this a "recommended" way of doing it? > > I'd be happy to document this somewhere if this has not been done (I > > haven't found anything so far that lead me through this kind off setup > > all the way) > > > This is our production server puppet.conf > > [produktion] > > manifest = /etc/puppet/production/manifests/site.pp > > > [integration] > > manifest = /etc/puppet/integration/manifests/site.pp > > > [test] > > manifest = /etc/puppet/test/manifests/site.pp > > > [puppetmasterd] > > masterport = 7000 > > server = puppetmaster.company.com > > modulepath = /etc/puppet/modules > > templatedir = /etc/puppet/templates > > certname = puppetmaster.company.com > > ca_port = 7000 > > > Development server: > > [produktion] > > manifest = /etc/puppet/production/manifests/site.pp > > > [integration] > > manifest = /etc/puppet/integration/manifests/site.pp > > > [test] > > manifest = /etc/puppet/test/manifests/site.pp > > > [puppetmasterd] > > masterport = 7000 > > modulepath = /etc/puppet/modules > > templatedir = /etc/puppet/templates > > > # you seem to be missing the: > > ca=false > > > [puppetd] > > pluginsync = true > > factpath = $vardir/lib/facter > > masterport = 7000 > > server = puppetmaster.company.com > > > Client: > > [main] > > ca_server = puppetmaster.company.com > > ca_port = 7000 > > > [puppetd] > > pluginsync = true > > factpath = $vardir/lib/facter > > masterport = 7000 > > server = puppetmaster.company.com > > evaltrace = true > > > We are using puppet 0.25.4 > > > Thank you for helping me. > > > Chris > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
