On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner <wallnerr...@gmail.com> wrote:
> HI all, > > I am currently setting up a HA devops configuration using puppet. I want > to be able to run a single puppet master as the CA and the rest act as > peering puppet masters. I have each puppet master running on passenger and > I am proxying the SSL requests to the CA server following: > > http://docs.puppetlabs.com/**guides/scaling_multiple_** > masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic> > http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html> > > as a reference. > > Watching the access.log on each master, when an agent requests a cert from > a puppetmaster that is *not* the CA, I can see the request forwarded: > (below) > > .4 is the agent > .3 us the master proxying the request > puppetca is the acting CA for all masters > > *Here is the what logs in access.log for the puppetmaster that is NOT the > CA.* > ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET > /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-" > > *Here is what logs in the master which IS the CA* > puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 > 588 "-" "-" > I notice you're running the CA on port 8140. Are you running the CA back-end using SSL? If so, you probably shouldn't be. If you use TCP load balancing, then all of your back end workers will terminate the SSL connection. If, however, your load balancer terminates the SSL connection, then your back end workers need to deal with plaintext HTTP. I suspect the problem you're running into is that the service forwarding the request to the CA is not using a SSL certificate. Alternatively, you could try changing BalancerMember http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140and see if that helps. (Note the https). -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
