multiple puppet masters
I would like to set up an additional puppet master but have the CA server handled by only 1 puppet master. I have set this up as per the documentation here:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html
I have configured my second puppet master as follows:
[main]
...
ca = false
ca_server = puppet-master1.test.net
I am using passenger so I am a bit confused how the virtual-host.conf file should look for my second puppet-master2.test.net. Here is mine (updated as per Shane Maddens answer):
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby
Listen 8140
<VirtualHost *:8140>
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppet-master1.test.net:8140/$1
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet-master2.test.net.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet-master2.test.net.pem
#SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
#SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
#SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public/
RackBaseURI /
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I have commented out the #SSLCertificateChainFile, #SSLCACertificateFile & #SSLCARevocationFile - this is not a CA server so not sure I need this. How would I get passenger to work with these?
I would like to use ProxyPassMatch which I have configured as per the documentation. I don't want to specify a ca server in every puppet.conf file.
I am getting this error when trying to get create a cert from a puppet client pointing to the second puppet master server (puppet-master2.test.net):
[root@puppet-client2 ~]# puppet agent --test
Error: Could not request certificate: Could not intern from s: nested asn1 error
Exiting; failed to retrieve certificate and waitforcert is disabled
On the puppet client I have this
[main]
server = puppet-master2.test.net
What have I missed?
Cheers, Oli
This part of the documentation..
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
..is actually wrong in several ways. ProxyPassReverse
can't take a regex (and isn't needed anyway), it's not actually using the requested URL in the request that's sent to the CA, and it can trigger unintentional proxying for non-certificate-related API calls for a node that has certificate
in its name.
Instead, use this:
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppet-master1.test.net:8140/$1
Put it inside your <VirtualHost>
block, and you can get rid of the <Proxy balancer://puppet_ca>
.
The error you're getting means that you're getting something other than a certificate back from the attempt to retrieve your certificate -- this could be caused by the configuration problem above, but might also be indicative of a different error. Get that config changed out, blow away your /var/lib/puppet/ssl
on the client (since the certificate request probably failed too) and see if it's working - if not, add --verbose
to a run and we'll see what's going on.
Nope.
Don't do this. If you're looking to scale puppet by having multiple masters, you're going the wrong way about it. I'm well aware that puppetlabs have produced a document that you linked saying how they recommend doing MM puppet, but it's actually far easier to go masterless.
So the best way to scale puppet is to go masterless, where you have a central git (or other DVCS) repository, and clone down a copy of your manifests, and run them locally with puppet apply
.