I am working on setting up a Puppet configuration where some of the data is stored on a DRBD volume. The modules and vardir are stored on the drbd volume. The puppet.conf files point to the drbd volume for vardir. I created a cert for a VIP puppet-master using the puppetca -- create command
I had everything working on the primary drbd node, but when I fail over, everything starts up fine, but I get a passenger error about certs from the client. <dt>Error message:</dt> <dd>Could not run: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key # SW Versions puppet 2.6, with Passenger and Apache Http CentOS 5.6 # puppet.conf [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = /drbd01/puppet/var/lib/puppet/ssl vardir = /drbd01/puppet/var/lib/puppet modulepath=/drbd01/puppet/modules [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig [master] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY ## /etc/http/conf.d/puppetmasterd.conf PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 <VirtualHost *:8140> ServerName puppetmaster.foo.bar LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/ passenger-2.2.11/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11 PassengerRuby /usr/bin/ruby CustomLog "/var/log/httpd/puppet_access_log" common ErrorLog "/var/log/httpd/puppet_error_log" SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /drbd01/puppet/var/lib/puppet/ssl/certs/ puppetmaster.foo.bar.pem SSLCertificateKeyFile /drbd01/puppet/var/lib/puppet/ssl/ private_keys/puppetmaster.foo.bar.pem SSLCertificateChainFile /drbd01/puppet/var/lib/puppet/ssl/ca/ ca_crt.pem SSLCACertificateFile /drbd01/puppet/var/lib/puppet/ssl/ca/ ca_crt.pem # CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the nex t line # SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /drbd01/puppet/rack/puppetmasterd/public/ <Directory /drbd01/puppet/rack/puppetmasterd/> Options None Options -Multiviews AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.