Hi, Answering you really depends on how do you setup your CA.. do you use a certificate chain?
in general, the puppetmaster process needs to run at least once to generate all files required in the ssl directory, but that should not conflict with the puppetd if you have the right certificate setup ;) I use a certificate chain, which means that i add the public key of the "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. (see http://reductivelabs.com/trac/puppet/wiki/PuppetScalability - I've posted my setup under ceneralized setup). I use puppet to mange quite a few puppet masters in different locations, i was able to publish most of my puppetmaster module, and you could find it at : http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master Cheers, Ohad On Thu, Dec 4, 2008 at 9:25 AM, Andrew <[EMAIL PROTECTED]> wrote: > > hi, > i'm trying to set up my puppetmaster infrastructure with multiple > puppetservers behind load balancers in each of our datacenters. i'm > using 0.24.6. i've read the howto on puppet scalability, and i think > i've got the ssl config working correct, but i'm noticing that when > puppetd is used to build a puppetmaster, some of the files in $vardir/ > ssl conflict. from other posts on this list, i've gathered that it's > NOT best practice to specify different ssl dirs for puppetd and > puppetmaster. i actually tried that and noticed that "puppetca -- > clean" refused to look in the ssl dir that puppetmasterd was using... > it was looking in /var/lib/puppet/ssl which was puppetd's ssl dir. > so, i'm back to using one ssldir for puppetd and puppetmasterd. > > so, my problem is i start my puppetd, it successfully talks to my > exisitng puppet master, gets a cert, and starts applying the config. > when it gets to the part where it runs puppetmasterd for the first > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > initialization process. this prevents puppetd from working until i go > back in and fix it. is there a trick to get this working that i am > missing? i've also noticed that puppetd and puppetmasterd both create > host certificates with the same name, which is $vardir/ssl/certs/ > $fqdn.pem. however, the cert that puppetd makes does not have the > subject alternative names for "puppet", etc. i got around this by > specifying "certname = puppet" in my puppetmaster section of the > config, so that it creates a file called puppet.pem instead. if > anyone has any ideas what i might be doing wrong, please let me know. > i've included my puppet.conf below. > > thanks! > -drew > > [main] > # Where Puppet stores dynamic and growing data. > # The default value is '/var/puppet'. > vardir = /var/lib/puppet > > # The Puppet log directory. > # The default value is '$vardir/log'. > logdir = /var/log/puppet > > # Where Puppet PID files are kept. > # The default value is '$vardir/run'. > rundir = /var/run/puppet > > # Where SSL certificates are kept. > # The default value is '$confdir/ssl'. > ssldir = $vardir/ssl > > [puppetd] > # The file in which puppetd stores a list of the classes > # associated with the retrieved configuratiion. Can be loaded in > # the separate ``puppet`` executable using the ``--loadclasses`` > # option. > # The default value is '$confdir/classes.txt'. > classfile = $vardir/classes.txt > > # Where puppetd caches the local configuration. An > # extension indicating the cache format is added automatically. > # The default value is '$confdir/localconfig'. > localconfig = $vardir/localconfig > runinterval = 120 > #factsync = true > > # These settings are necessary to enable plugin support via > modules > # Our custom facter facts rely on this > pluginsync=true > pluginsource = puppet://$server/plugins > plugindest = $vardir/lib > factpath = $vardir/lib/facter > factdest = $vardir/lib/facter > > [puppetmasterd] > modulepath = /var/lib/puppet/modules > certname = puppet > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
