Hi Soham, I would suggest you start with a single server that contains both the CA and compile master functionality.
That way you can bootstrap it in a very simple way, using the instructions for the new intermediate CA setup in Puppet 6. Once that is working, it is much easier to move to a split-out service because you will have a functioning CA + Server which can sign the certificates for the other compile masters. You should be able to serve catalogs from a single instance for several thousand agents, so don't scale out until you know you need it. https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html HTH --eric0 On Wednesday, November 28, 2018 at 8:24:00 AM UTC-8, Soham Chakraborty wrote: > > Hi, > > Update: > > I have made the changes in webserver.conf of the compile master as > described in > https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 > (step 3 in particular), but I still have the same problem :( > > On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty > wrote: >> >> Hi, >> >> I am trying to achieve the following in Ubuntu 18.04 (bionic): >> >> 1) I want to have several Puppet servers act as compile masters. They >> will be load balanced and point to a DNS record in AWS. >> >> 2) All the compile masters will share same Puppet CA server. The CA >> server be responsible for only signing certificates and nothing else. >> >> This should be reasonably easy to implement but I am not getting odd SSL >> errors at every turn. I am looking to know how I should go about creating a >> setup like this with open source Puppet. The steps that I am following now >> are something like this: >> >> 1) Provision the instance from a packer template. I am installing Puppet >> 5.5.6 from the packer template. >> 2) Login to the server and install puppetserver. >> 3) Disable internal CA service from services.d/ca.cfg file. >> 4) Edit puppet.conf to point master to the DNS name of the load balancer. >> Don't do any change of ca server for now. Don't run any puppet agent as >> well. >> 5) Provision another instance from the same packer template. >> 6) Install puppetserver. >> 7) Edit it's puppet.conf to point to the DNS name of the load balancer >> and also change ca server to this server itself. >> 8) Run puppet agent -t on the compile master created in step 1. >> 9) Sign the cert in CA server. >> >> Is this all that there is? Do I need to do any config change in the >> webserver.conf of the Puppet compile master? If so, what would be required >> changes? What files should be copied over from the CA server to the compile >> server? >> >> What files need to be copied over from CA server to the compile server >> and where they should be placed? >> >> Right now in my CA server, I am getting this error: >> >> # puppet agent -t >> Warning: Setting autosign is deprecated. >> (location: >> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in >> `issue_deprecation_warning') >> Warning: Setting ca is deprecated. >> (location: >> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in >> `issue_deprecation_warning') >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: SSL_connect returned=1 errno=0 state=error: certificate verify >> failed: [ok for /CN=puppetserver.org.com] >> Info: Retrieving pluginfacts >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate >> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 >> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: >> Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect >> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Info: Retrieving plugin >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate >> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 >> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could >> not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 >> errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Error: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> Error: Could not send report: SSL_connect returned=1 errno=0 state=error: >> certificate verify failed: [ok for /CN=puppetserver.org.com] >> root@puppet-ca-server:~# >> >> And in Puppet compile master, I am getting: >> >> # puppet agent -t >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: execution expired >> Info: Retrieving pluginfacts >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate >> additional resources using 'eval_generate': execution expired >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: >> Could not retrieve file metadata for puppet:///pluginfacts: execution >> expired >> Info: Retrieving plugin >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate >> additional resources using 'eval_generate': execution expired >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could >> not retrieve file metadata for puppet:///plugins: execution expired >> Error: Could not retrieve catalog from remote server: execution expired >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> root@puppetserver:~# >> >> The nodes are not yet in site.pp but I would expect the errors to be >> different. >> >> Thanks, >> >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/79f9241f-7214-4791-a219-ccb38f594f04%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
