> I have a need to send reports from a puppet master B in datacenter B to > puppetdb on master A in datacenter A. Both are using puppet open source > 3.7.1 and puppetdb 2.2 (master A) or puppetdb-terminus (master B). > > I have done all steps here: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_master.html. > However, this page says nothing about using SSL certs so that > puppetdb-terminus on master B can connect to https port 8081 on master A. I > get errors like this: > Warning: Error 400 on SERVER: Could not retrieve facts for > masterB.example.com: Failed to find facts from PuppetDB at > masterA.example.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed: [unable to get local issuer > certificate for /CN=masterA.example.com]
This means that the sender's configured CA is different to the CA that issued the destination masterA.example.com certificate on your PuppetDB node. On your master, you will have a particular CA configured to sign certificates, however PuppetDB when installed tries to use the local puppet agent's CA on that node you installed it on (by running puppetdb-ssl-setup, which just moves certificates into a place PuppetDB can get to them). What is your CA topology between the two datacentres? Are they meant to be different? > The separate page on setting up master-less puppet agents to send puppetdb > reports touches on this: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html > > The most promising solution here looks like setting up an apache SSL proxy > that redirects https 8081 to localhost:8080 mentioned here: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb. > However, I know little about configuring apache this way, and an example > config isn't provided. It even says > More detailed instructions for setting up this proxy will be added to this > guide at a later date". The 2.3 instruction lacks this also. Any ideas? I'm not sure you need a proxy per se, it depends on your exact needs. Either way, you still end up having to deal with certificates. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkBSvoeM225Z%2BeAFZs6K%3D4BX9EjxHfLXpoKYCYcoSK8EQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
