ohad, i'm using the cert chain exactly as described in http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. the problem is, it seems both puppetd and puppetmasterd want to create / var/lib/puppet/ssl/certs/ca.pem. adding the puppeteer's ca_crt.pem to ca.pem on a new client will allow that new client to hit any of the new puppetmasters, as i understand it, but i'm talking about building one of the new puppetmasters via puppetd which is talking to the puppeteer. have i configured something wrong to make both puppetd and puppetmasterd want to use the same ca.pem file? am i incorrect in assuming i can talk to the puppeteer as a puppetd client to build a puppetmaster? what about /var/lib/puppet/ssl/certs/$fqdn.pem? that file also appears to be created by whichever process runs first, and i dont see a way to get it to work for both puppetd and puppetmasterd.
thanks, -drew On Dec 3, 6:44 pm, "Ohad Levy" <[EMAIL PROTECTED]> wrote: > Hi, > > Answering you really depends on how do you setup your CA.. do you use a > certificate chain? > > in general, the puppetmaster process needs to run at least once to generate > all files required in the ssl directory, but that should not conflict with > the puppetd if you have the right certificate setup ;) > > I use a certificate chain, which means that i add the public key of the > "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. > (seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability- I've > posted my setup under ceneralized setup). > > I use puppet to mange quite a few puppet masters in different locations, i > was able to publish most of my puppetmaster module, and you could find it at > :http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master > > Cheers, > Ohad > > On Thu, Dec 4, 2008 at 9:25 AM, Andrew <[EMAIL PROTECTED]> wrote: > > > hi, > > i'm trying to set up my puppetmaster infrastructure with multiple > > puppetservers behind load balancers in each of our datacenters. i'm > > using 0.24.6. i've read the howto on puppet scalability, and i think > > i've got the ssl config working correct, but i'm noticing that when > > puppetd is used to build a puppetmaster, some of the files in $vardir/ > > ssl conflict. from other posts on this list, i've gathered that it's > > NOT best practice to specify different ssl dirs for puppetd and > > puppetmaster. i actually tried that and noticed that "puppetca -- > > clean" refused to look in the ssl dir that puppetmasterd was using... > > it was looking in /var/lib/puppet/ssl which was puppetd's ssl dir. > > so, i'm back to using one ssldir for puppetd and puppetmasterd. > > > so, my problem is i start my puppetd, it successfully talks to my > > exisitng puppet master, gets a cert, and starts applying the config. > > when it gets to the part where it runs puppetmasterd for the first > > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > > initialization process. this prevents puppetd from working until i go > > back in and fix it. is there a trick to get this working that i am > > missing? i've also noticed that puppetd and puppetmasterd both create > > host certificates with the same name, which is $vardir/ssl/certs/ > > $fqdn.pem. however, the cert that puppetd makes does not have the > > subject alternative names for "puppet", etc. i got around this by > > specifying "certname = puppet" in my puppetmaster section of the > > config, so that it creates a file called puppet.pem instead. if > > anyone has any ideas what i might be doing wrong, please let me know. > > i've included my puppet.conf below. > > > thanks! > > -drew > > > [main] > > # Where Puppet stores dynamic and growing data. > > # The default value is '/var/puppet'. > > vardir = /var/lib/puppet > > > # The Puppet log directory. > > # The default value is '$vardir/log'. > > logdir = /var/log/puppet > > > # Where Puppet PID files are kept. > > # The default value is '$vardir/run'. > > rundir = /var/run/puppet > > > # Where SSL certificates are kept. > > # The default value is '$confdir/ssl'. > > ssldir = $vardir/ssl > > > [puppetd] > > # The file in which puppetd stores a list of the classes > > # associated with the retrieved configuratiion. Can be loaded in > > # the separate ``puppet`` executable using the ``--loadclasses`` > > # option. > > # The default value is '$confdir/classes.txt'. > > classfile = $vardir/classes.txt > > > # Where puppetd caches the local configuration. An > > # extension indicating the cache format is added automatically. > > # The default value is '$confdir/localconfig'. > > localconfig = $vardir/localconfig > > runinterval = 120 > > #factsync = true > > > # These settings are necessary to enable plugin support via > > modules > > # Our custom facter facts rely on this > > pluginsync=true > > pluginsource = puppet://$server/plugins > > plugindest = $vardir/lib > > factpath = $vardir/lib/facter > > factdest = $vardir/lib/facter > > > [puppetmasterd] > > modulepath = /var/lib/puppet/modules > > certname = puppet --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
