I'm a bit confused of how you use your certificate chain, I'll try to describe how I'm doing it, hopefully it will work for you:
as described in the link, we have 3 types of puppets: A - puppeteer - the root certificate CA (only one server of this type) B - Pupppetmasters - the servers that actually provide the configuration to the clients (could be many, all of them are clients of A) C - normal puppetd clients. Creating A is like any other puppetmaster setup. Creating B is like any normal client, but, requires that they key used will be signed by the puppeteer in a sepcial way (see the openssl script in the puppet-scalability page). So basicily - you create a normal client with puppetd - sign it normally using A and let puppetd run, then when puppetmaster is running, additional CA files should be created, but puppetd should still be able to run aginst A. afterwards, you run the special script (manually or automaticily) while puppetmaster and apache are turned off!, this replaces the certificate used by the puppetmaster. afterwards, you can install normal clients, and the only thing is that you need to add the puppeteer certificate into the ssl/certs/ca.pem. The only thing that doesn't work in this setup, and I hope to nail it sometime soon, is the certificate revokatoin. Hope this helps, Ohad On Fri, Dec 5, 2008 at 11:48 PM, Andrew <[EMAIL PROTECTED]> wrote: > > ohad, > i'm using the cert chain exactly as described in > http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. the > problem is, it seems both puppetd and puppetmasterd want to create / > var/lib/puppet/ssl/certs/ca.pem. adding the puppeteer's ca_crt.pem to > ca.pem on a new client will allow that new client to hit any of the > new puppetmasters, as i understand it, but i'm talking about building > one of the new puppetmasters via puppetd which is talking to the > puppeteer. have i configured something wrong to make both puppetd and > puppetmasterd want to use the same ca.pem file? am i incorrect in > assuming i can talk to the puppeteer as a puppetd client to build a > puppetmaster? what about /var/lib/puppet/ssl/certs/$fqdn.pem? that > file also appears to be created by whichever process runs first, and i > dont see a way to get it to work for both puppetd and puppetmasterd. > > thanks, > -drew > > > > On Dec 3, 6:44 pm, "Ohad Levy" <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Answering you really depends on how do you setup your CA.. do you use a > > certificate chain? > > > > in general, the puppetmaster process needs to run at least once to > generate > > all files required in the ssl directory, but that should not conflict > with > > the puppetd if you have the right certificate setup ;) > > > > I use a certificate chain, which means that i add the public key of the > > "main" puppetmaster into /var/lib/puppet/ssl/certs/ca.pem. > > (seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability- I've > > posted my setup under ceneralized setup). > > > > I use puppet to mange quite a few puppet masters in different locations, > i > > was able to publish most of my puppetmaster module, and you could find it > at > > :http://github.com/ohadlevy/puppet-multipuppetmaster/tree/master > > > > Cheers, > > Ohad > > > > On Thu, Dec 4, 2008 at 9:25 AM, Andrew <[EMAIL PROTECTED]> wrote: > > > > > hi, > > > i'm trying to set up my puppetmaster infrastructure with multiple > > > puppetservers behind load balancers in each of our datacenters. i'm > > > using 0.24.6. i've read the howto on puppet scalability, and i think > > > i've got the ssl config working correct, but i'm noticing that when > > > puppetd is used to build a puppetmaster, some of the files in $vardir/ > > > ssl conflict. from other posts on this list, i've gathered that it's > > > NOT best practice to specify different ssl dirs for puppetd and > > > puppetmaster. i actually tried that and noticed that "puppetca -- > > > clean" refused to look in the ssl dir that puppetmasterd was using... > > > it was looking in /var/lib/puppet/ssl which was puppetd's ssl dir. > > > so, i'm back to using one ssldir for puppetd and puppetmasterd. > > > > > so, my problem is i start my puppetd, it successfully talks to my > > > exisitng puppet master, gets a cert, and starts applying the config. > > > when it gets to the part where it runs puppetmasterd for the first > > > time, $vardir/ssl/certs/ca.pem gets overwritten by the puppetmasterd > > > initialization process. this prevents puppetd from working until i go > > > back in and fix it. is there a trick to get this working that i am > > > missing? i've also noticed that puppetd and puppetmasterd both create > > > host certificates with the same name, which is $vardir/ssl/certs/ > > > $fqdn.pem. however, the cert that puppetd makes does not have the > > > subject alternative names for "puppet", etc. i got around this by > > > specifying "certname = puppet" in my puppetmaster section of the > > > config, so that it creates a file called puppet.pem instead. if > > > anyone has any ideas what i might be doing wrong, please let me know. > > > i've included my puppet.conf below. > > > > > thanks! > > > -drew > > > > > [main] > > > # Where Puppet stores dynamic and growing data. > > > # The default value is '/var/puppet'. > > > vardir = /var/lib/puppet > > > > > # The Puppet log directory. > > > # The default value is '$vardir/log'. > > > logdir = /var/log/puppet > > > > > # Where Puppet PID files are kept. > > > # The default value is '$vardir/run'. > > > rundir = /var/run/puppet > > > > > # Where SSL certificates are kept. > > > # The default value is '$confdir/ssl'. > > > ssldir = $vardir/ssl > > > > > [puppetd] > > > # The file in which puppetd stores a list of the classes > > > # associated with the retrieved configuratiion. Can be loaded in > > > # the separate ``puppet`` executable using the ``--loadclasses`` > > > # option. > > > # The default value is '$confdir/classes.txt'. > > > classfile = $vardir/classes.txt > > > > > # Where puppetd caches the local configuration. An > > > # extension indicating the cache format is added automatically. > > > # The default value is '$confdir/localconfig'. > > > localconfig = $vardir/localconfig > > > runinterval = 120 > > > #factsync = true > > > > > # These settings are necessary to enable plugin support via > > > modules > > > # Our custom facter facts rely on this > > > pluginsync=true > > > pluginsource = puppet://$server/plugins > > > plugindest = $vardir/lib > > > factpath = $vardir/lib/facter > > > factdest = $vardir/lib/facter > > > > > [puppetmasterd] > > > modulepath = /var/lib/puppet/modules > > > certname = puppet > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
