[Puppet Users] puppetdb failover - implement ca self signed

[Nerbolff]

Hello everyone. for security reasons. we decided to get 2 puppetdb servers 
up and running. there will be a setup with *master* and *slave*.

We thought of using our load balancer to perform this operation. So we need 
a *cname* with a valid self-generated certificate. ie:  
 puppetdb.internet.net

 
Here's how I think I'm going to achieve it: 

   - I generated my puppetdb cert via the puppetca:

$ sudo puppetserver ca generate --certname puppetdb.internet.net
Successfully saved private key for puppetdb.internet.net to 
/etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem
Successfully saved public key for puppetdb.internet.net to 
/etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem
Successfully submitted certificate request for puppetdb.internet.net
Error:
    Signed certificate puppetdb.internet.net could not be found on the CA
Successfully signed certificate request for puppetdb.internet.net
Successfully saved certificate for puppetdb.internet.net to 
/etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem


Then I copied over the freshly selfsigned cert from puppetca to puppetDB.
 I changed the */etc/puppetlabs/puppetdb/conf.d/jetty.ini* like this : 

ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem
ssl-cert = /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem
ssl-ca-cert = /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem

restarting my puppetdb, I get an error about certification implementation.  
error is not clear. java errors

At the end,  my goal is to start puppetdb with the certificate 
*puppetdb.internet.net 
*loaded. then the puppetmaster didn't complain about the puppetca 
certificate. 

Does someone have any idea?
Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/163cae20-4e87-400a-8f95-fa51bb241aadn%40googlegroups.com.