Hi, Update:
I have made the changes in webserver.conf of the compile master as described in https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 (step 3 in particular), but I still have the same problem :( On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty wrote: > > Hi, > > I am trying to achieve the following in Ubuntu 18.04 (bionic): > > 1) I want to have several Puppet servers act as compile masters. They will > be load balanced and point to a DNS record in AWS. > > 2) All the compile masters will share same Puppet CA server. The CA server > be responsible for only signing certificates and nothing else. > > This should be reasonably easy to implement but I am not getting odd SSL > errors at every turn. I am looking to know how I should go about creating a > setup like this with open source Puppet. The steps that I am following now > are something like this: > > 1) Provision the instance from a packer template. I am installing Puppet > 5.5.6 from the packer template. > 2) Login to the server and install puppetserver. > 3) Disable internal CA service from services.d/ca.cfg file. > 4) Edit puppet.conf to point master to the DNS name of the load balancer. > Don't do any change of ca server for now. Don't run any puppet agent as > well. > 5) Provision another instance from the same packer template. > 6) Install puppetserver. > 7) Edit it's puppet.conf to point to the DNS name of the load balancer and > also change ca server to this server itself. > 8) Run puppet agent -t on the compile master created in step 1. > 9) Sign the cert in CA server. > > Is this all that there is? Do I need to do any config change in the > webserver.conf of the Puppet compile master? If so, what would be required > changes? What files should be copied over from the CA server to the compile > server? > > What files need to be copied over from CA server to the compile server and > where they should be placed? > > Right now in my CA server, I am getting this error: > > # puppet agent -t > Warning: Setting autosign is deprecated. > (location: > /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Warning: Setting ca is deprecated. > (location: > /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: SSL_connect returned=1 errno=0 state=error: certificate verify > failed: [ok for /CN=puppetserver.org.com] > Info: Retrieving pluginfacts > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: > Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect > returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Info: Retrieving plugin > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could > not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 > errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Error: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > Error: Could not send report: SSL_connect returned=1 errno=0 state=error: > certificate verify failed: [ok for /CN=puppetserver.org.com] > root@puppet-ca-server:~# > > And in Puppet compile master, I am getting: > > # puppet agent -t > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: execution expired > Info: Retrieving pluginfacts > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate > additional resources using 'eval_generate': execution expired > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: > Could not retrieve file metadata for puppet:///pluginfacts: execution > expired > Info: Retrieving plugin > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate > additional resources using 'eval_generate': execution expired > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could > not retrieve file metadata for puppet:///plugins: execution expired > Error: Could not retrieve catalog from remote server: execution expired > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > root@puppetserver:~# > > The nodes are not yet in site.pp but I would expect the errors to be > different. > > Thanks, > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b4aba2db-ee01-4d7e-af83-3a396272b28c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
