> I have a need to send reports from a puppet master B in datacenter B to > puppetdb on master A in datacenter A. Both are using puppet open source > 3.7.1 and puppetdb 2.2 (master A) or puppetdb-terminus (master B). > > I have done all steps here: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_master.html. > However, this page says nothing about using SSL certs so that > puppetdb-terminus on master B can connect to https port 8081 on master A. I > get errors like this: > Warning: Error 400 on SERVER: Could not retrieve facts for > masterB.example.com: Failed to find facts from PuppetDB at > masterA.example.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed: [unable to get local issuer > certificate for /CN=masterA.example.com]
This means that the sender's configured CA is different to the CA that issued the destination masterA.example.com certificate on your PuppetDB node. On your master, you will have a particular CA configured to sign certificates, however PuppetDB when installed tries to use the local puppet agent's CA on that node you installed it on (by running puppetdb-ssl-setup, which just moves certificates into a place PuppetDB can get to them). What is your CA topology between the two datacentres? Are they meant to be different? > The separate page on setting up master-less puppet agents to send puppetdb > reports touches on this: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html > > The most promising solution here looks like setting up an apache SSL proxy > that redirects https 8081 to localhost:8080 mentioned here: > https://docs.puppetlabs.com/puppetdb/2.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb. > However, I know little about configuring apache this way, and an example > config isn't provided. It even says > More detailed instructions for setting up this proxy will be added to this > guide at a later date". The 2.3 instruction lacks this also. Any ideas? I'm not sure you need a proxy per se, it depends on your exact needs. Either way, you still end up having to deal with certificates. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkBSvoeM225Z%2BeAFZs6K%3D4BX9EjxHfLXpoKYCYcoSK8EQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
