2

I have managed to set up multiple puppet masters with one puppet master acting as a CA and clients are able to get a certificate from this CA server but use their designated puppet master to get their manifests. See this question for more info.. multiple puppet masters. However, there are a couple of things I have had to do to get this working correctly and have an error which I'll get to.

First of all, to get inventory working for a puppet-client (PC) connecting to its designated puppet-master (PM), I had to copy the CA certs on PM1 to the PM2 ca directory. I ran this command:

scp root@puppet-master1.test.net:/var/lib/puppet/ssl/ca/ca_cr*.pem  root@puppet-master2.test.net:/var/lib/puppet/ssl/ca/.

Once i have done that, I was able to uncomment the SSLCertificateChainFile, SSLCACertificateFile & SSLCARevocationFile section of my rack.conf VH file on the PM2. Once I had done this, inventory started to work. Does this sound an acceptable way to do things?

Secondly, in the puppet.conf file, I am setting the designated PM server for the client, for example server = puppet-master2.test.net. Unless there is a better way, this is how it'll work in my production setup. So PC1 will talk to PM1 and PC2 will talk to PM2. This is where I have an error. When PC2 first requests a cert from the CA on PM1, the cert appears and then I sign the cert on the CA on PM1. When I then do a puppet agent --test on PC2 (which has server = puppet-master2.test.net in puppet.conf), I get this error:

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Forbidden request: puppet-master2.test.net(10.1.1.161) access to /certificate_revocation_list/ca [find] at :112

However, if I change the PC2 puppet.conf file and specify server = PM1 and the rerun puppet agent --test, i do not get any errors. I can then revert the change in the puppet.conf file back to server = PM2 and everything seems to run normally.

Do I have to set up some kind of ProxyPassMatch on PM2 for requests made from clients to /certificate_revocation_list/* and redirect them to PM1? Or how can I fix this error?

Cheers, Oli

Community
  • 1
Oli
  • 418

1 Answers1

1

Once i have done that, I was able to uncomment the SSLCertificateChainFile, SSLCACertificateFile & SSLCARevocationFile section of my rack.conf VH file on the PM2. Once I had done this, inventory started to work. Does this sound an acceptable way to do things?

Shouldn't need to do that - the revocation list and root certificate should already be on the secondary master. Try these file locations on PM2:

SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem

Secondly, in the puppet.conf file, I am setting the designated PM server for the client, for example server = puppet-master2.test.net. Unless there is a better way, this is how it'll work in my production setup.

Which puppet version are you on? 3.0's SRV record feature is an excellent solution to this problem, allowing you to give clients a set of masters they can choose from, with weights and priorities.

Do I have to set up some kind of ProxyPassMatch on PM2 for requests made from clients to /certificate_revocation_list/* and redirect them to PM1? Or how can I fix this error?

This is a bad default in auth.conf - the proxied connection isn't authenticated, and the default is to force authentication for the CRL (which is not sensitive). Add this to your auth.conf on PM1:

path /certificate_revocation_list
auth any
method find
allow *
Shane Madden
  • 116,404
  • 13
  • 187
  • 256