Jeff, I wound up not having SSLProxyEngine On specified in my vhost. I made the additional change to http to https in the load balancer and this worked as well.
Though, now I am having trouble getting the actual certificate from the CA, I can see the agent send the REST call to GET /production/etc... but when it reaches the CA it is looking in /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I am receiving a file does not exist error in the logs. Which makes sense, but should't this be look ing /var/lib/puppet (debian) or another directory. Ultimately I want to set this up on SUSE 11 SP2, but wanted to get a feel for the config. Thanks for you help, Ryan On Mon, Oct 29, 2012 at 12:15 PM, Jeff McCune <j...@puppetlabs.com> wrote: > On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner <wallnerr...@gmail.com>wrote: > >> HI all, >> >> I am currently setting up a HA devops configuration using puppet. I want >> to be able to run a single puppet master as the CA and the rest act as >> peering puppet masters. I have each puppet master running on passenger and >> I am proxying the SSL requests to the CA server following: >> >> http://docs.puppetlabs.com/**guides/scaling_multiple_** >> masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic> >> http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html> >> >> as a reference. >> >> Watching the access.log on each master, when an agent requests a cert >> from a puppetmaster that is *not* the CA, I can see the >> request forwarded: (below) >> >> .4 is the agent >> .3 us the master proxying the request >> puppetca is the acting CA for all masters >> > >> *Here is the what logs in access.log for the puppetmaster that is NOT >> the CA.* >> ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] >> "GET /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-" >> >> *Here is what logs in the master which IS the CA* >> puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 >> 588 "-" "-" >> > > I notice you're running the CA on port 8140. Are you running the CA > back-end using SSL? If so, you probably shouldn't be. > > If you use TCP load balancing, then all of your back end workers will > terminate the SSL connection. If, however, your load balancer terminates > the SSL connection, then your back end workers need to deal with plaintext > HTTP. > > I suspect the problem you're running into is that the service forwarding > the request to the CA is not using a SSL certificate. > > Alternatively, you could try changing BalancerMember > http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140and > see if that helps. (Note the https). > > -Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- *<R> * *Ryan Wallner* *845.475.8684* *@RyanWallner** * *rweb.meteor.com* aucouranton.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.