On 27 September 2013 13:26, Ken Barber <k...@puppetlabs.com> wrote: > > Lastly, the puppetdb-ssl-setup script still does not work when the > PuppetDB > > does not reside on the Puppetmaster. The fix is pretty simple, and the > > issue is in the bug tracker. I created a question and answer on > > ask.puppetlabs.com to try and help others that run into it: > > > https://ask.puppetlabs.com/question/3333/puppetdbs-puppetdb-ssl-setup-script-does-not-work-when-the-puppetdb-is-not-on-the-puppetmaster/ > > So the ticket for those reading along at home is here: > > http://projects.puppetlabs.com/issues/17523 > > And I must admit its controversial but saying it 'doesn't work' isn't > entirely true. More precisely there are situations where it doesn't > work, and I want to hear what people have to add to this - as its a > really interesting topic that we probably need some community feedback > on. > > Let me show you an example, with an empty puppet.conf ... the settings > returned are identical: > > root@puppetdb1:~# puppet apply --configprint hostcert > /etc/puppet/ssl/certs/puppetdb1.vm.pem > root@puppetdb1:~# puppet master --configprint hostcert > /etc/puppet/ssl/certs/puppetdb1.vm.pem > > But when you have overrides in relation to agent/master that create > differences between the [master] and [agent] sections things go wrong. > Try this one on for size: > > root@puppetdb1:~# cat /etc/puppet/puppet.conf > [master] > ssldir = /tmp > > [agent] > ssldir = /tmp2 > root@puppetdb1:~# puppet master --configprint hostcert > /tmp/certs/puppetdb1.vm.pem > root@puppetdb1:~# puppet agent --configprint hostcert > /tmp2/certs/puppetdb1.vm.pem > > So like I said ... this is actually fine for some people, and > preferential, but for others its not fine. The question is, what is > the better default I think. > > So in my opinion I would have thought that agent was a better default > over master as some people presume, but that changed some time ago in > 0.9.2: > > > https://github.com/puppetlabs/puppetdb/commit/de23912a73f6adadf36f26d438939d4c9e49a68b > > I suppose there are arguments for either direction, but I'm not as > clear on the direction to move this to use the [master] section > specifically. I can't help but feel its a less common case. Erik - > perhaps you can chime in on the thread and give us your reasoning for > wanting this in the first place? > > In our setup we have a "main" puppet infrastructure and a couple of child infrastructures. Each puppet setup has its own CA. The puppetmasters in the children are agents to the main puppet infrastructure, so they have a separate ssldir for the master. With this change it just worked out of the box if we co-hosted a puppetdb instance on them as it would use the ssldir from the master.
-- Erik Dalén -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
