Which files will I need to transfer to the new puppet master? /var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/woof.hostname.com.pem
We had been planning for a central "master master" anyway and it already has a dns alias for "puppet". Once I solve the distribution problem, I'll take on keeping these boxes in sync. * * * Bret Wortman*** http://bretwortman.com/ http://twitter.com/BretWortman On Thu, Dec 13, 2012 at 5:15 AM, Luke Bigum <luke.bi...@lmax.com> wrote: > On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote: > >> Yeah, I was starting to think that was the solution. >> >> > That's not strictly necessary, you can install a Puppet Master with Puppet > just fine, the problem you're running into is how to manage the Puppet CA > across multiple Masters. This is not an easy problem to solve. If you start > a master for the first time it will initialise it's own personal CA and > certificate. This will conflict with the cert it got from the *other* > master when it was installed and probably the cause of your connectivity > problems. Also, your other agents won't be able to jump between masters > because the CAs are different. > > I would break the problem into these tasks: > > - Decide on a centralised CA (a Puppet Master Master even) that you can > generate other Puppet Master certificates from and give that cert the > 'puppet' alias if you use it at your sites (puppet ca generate > woof.hostname.com --dns-alt-names puppet) > - Figure out how to get this Cert and the Master CA onto your new Puppet > Master instead of letting the Puppet Mater. NFS? HTTPS download? Package? > - Figure out how to share certificates between Puppet Masters so an Agent > can check in to different Puppet Masters. Centralised CA? Multi-way rsync? > > -Luke > > -- >> Bret Wortman >> http://bretwortman.com/ >> http://twitter.com/bretwortman >> >> On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote: >> >> On 12/12/2012 10:04 PM, Bret Wortman wrote: >> >> Is there an easy way to convert a puppet client into being a puppet >> master? >> >> Here's the scenario. I'm using puppet to configure all my systems, and >> would like it to be able to deploy a new puppet master as well. We have >> systems worldwide so having local puppet masters is very desirable for >> fault tolerance. So Kickstart (via cobbler) installs a puppet client >> during the initial system installation, then puppet installs everything >> else. And I've written a puppet-server module to attempt to deploy the >> puppet-server package, but I end up getting into certificate problems >> every time. >> >> The initial cert draws complaints, so I delete it and clean the >> certificate from the master, but then the systems will not connect under >> any circumstances: >> >> # puppet agent -t >> Exiting: no certificate found and waitforcert is disabled >> >> There's no request on the master (either this or the other). >> >> Thoughts? >> >> >> You should deploy master through cobbler, or run masterless puppet to >> set up the master. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet...@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users...@** >> googlegroups.com. >> For more options, visit this group at http://groups.google.com/** >> group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >> . >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
