My two masters are each also their own CA to minimize traffic and firewall rules between them. Based on your responses, this difference in CA's appears be the crux of the issue....which seems obvious now.
Given that masters A & B are their own CA, how can I send puppetdb reports over port 8081 https from B to A? On Tuesday, April 28, 2015 at 7:30:00 AM UTC-5, Ken Barber wrote: > > > I have a need to send reports from a puppet master B in datacenter B to > > puppetdb on master A in datacenter A. Both are using puppet open source > > 3.7.1 and puppetdb 2.2 (master A) or puppetdb-terminus (master B). > > > > I have done all steps here: > > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_master.html. > > However, this page says nothing about using SSL certs so that > > puppetdb-terminus on master B can connect to https port 8081 on master > A. I > > get errors like this: > > Warning: Error 400 on SERVER: Could not retrieve facts for > > masterB.example.com: Failed to find facts from PuppetDB at > > masterA.example.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 > read > > server certificate B: certificate verify failed: [unable to get local > issuer > > certificate for /CN=masterA.example.com] > > This means that the sender's configured CA is different to the CA that > issued the destination masterA.example.com certificate on your > PuppetDB node. On your master, you will have a particular CA > configured to sign certificates, however PuppetDB when installed tries > to use the local puppet agent's CA on that node you installed it on > (by running puppetdb-ssl-setup, which just moves certificates into a > place PuppetDB can get to them). > > What is your CA topology between the two datacentres? Are they meant > to be different? > > > The separate page on setting up master-less puppet agents to send > puppetdb > > reports touches on this: > > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html > > > > The most promising solution here looks like setting up an apache SSL > proxy > > that redirects https 8081 to localhost:8080 mentioned here: > > > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb. > > > > However, I know little about configuring apache this way, and an example > > config isn't provided. It even says > > More detailed instructions for setting up this proxy will be added to > this > > guide at a later date". The 2.3 instruction lacks this also. Any ideas? > > I'm not sure you need a proxy per se, it depends on your exact needs. > Either way, you still end up having to deal with certificates. > > ken. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/fac5ed3e-d2a0-4d02-8690-14e25e6125ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
