I am working on setting up a Puppet configuration where some of the
data is stored on a DRBD volume. The modules and vardir are stored on
the drbd volume. The puppet.conf files point to the drbd volume for
vardir. I created a cert for a VIP puppet-master using the puppetca --
create command
I had everything working on the primary drbd node, but when I fail
over, everything starts up fine, but I get a passenger error about
certs from the client.
<dt>Error message:</dt>
<dd>Could not run: Retrieved certificate does not match private
key;
please remove certificate from server and regenerate it with the
current key
# SW Versions
puppet 2.6, with Passenger and Apache Http
CentOS 5.6
# puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = /drbd01/puppet/var/lib/puppet/ssl
vardir = /drbd01/puppet/var/lib/puppet
modulepath=/drbd01/puppet/modules
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
## /etc/http/conf.d/puppetmasterd.conf
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
ServerName puppetmaster.foo.bar
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/
passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/bin/ruby
CustomLog "/var/log/httpd/puppet_access_log" common
ErrorLog "/var/log/httpd/puppet_error_log"
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /drbd01/puppet/var/lib/puppet/ssl/certs/
puppetmaster.foo.bar.pem
SSLCertificateKeyFile /drbd01/puppet/var/lib/puppet/ssl/
private_keys/puppetmaster.foo.bar.pem
SSLCertificateChainFile /drbd01/puppet/var/lib/puppet/ssl/ca/
ca_crt.pem
SSLCACertificateFile /drbd01/puppet/var/lib/puppet/ssl/ca/
ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the nex
t line
# SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to
work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RackAutoDetect On
DocumentRoot /drbd01/puppet/rack/puppetmasterd/public/
<Directory /drbd01/puppet/rack/puppetmasterd/>
Options None
Options -Multiviews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
