I have a puppet host which has been pulling data from a remote puppetmaster, and now I want to turn this host into a puppetmaster. The host (as puppet agent) had already been configured and SSL certificates exchanged.
Now there is a new puppetmaster (on the same host) and I'm getting nowhere in setting it up. I've already configured the puppet.conf to point to the new server (the same host, but using the DNS name) but haven't configured fileserver.conf yet. The puppetmaster uses passenger and Apache.
The system is Ubuntu Lucid Lynx with Puppet 2.6.3 and
Attempting to start the puppetmaster gives this response:
# service puppetmaster start
* Starting puppet master
Could not prepare for execution: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
...fail!
The configuration of puppet-passenger from the package gives this error:
# dpkg --configure puppetmaster-passenger
Setting up puppetmaster-passenger (2.6.3-0ubuntu1~lucid1) ...
Module ssl already enabled
Site puppetmaster already enabled
* Restarting web server apache2
Syntax error on line 16 of /etc/apache2/sites-enabled/puppetmaster:
SSLCARevocationFile: file '/var/lib/puppet/ssl/ca/ca_crl.pem' does not exist or is empty
...fail!
invoke-rc.d: initscript apache2, action "restart" failed.
dpkg: error processing puppetmaster-passenger (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
puppetmaster-passenger
I took a look in /var/lib/puppet/ssl but don't know where to begin – which certificates to remove or change, and which to leave alone. I didn't see any description of the SSL certificates. I don't see how to make /var/lib/puppet/ssl/ca/ca_crl.pem.
This process is part of setting up a dual puppetmaster configuration. Both would be active and represent the same data in two different areas (connected by a link considered "expensive"). Thus, both puppetmasters would have the same information (copied by rsync perhaps) and serving as puppetmaster to the hosts on their side of the "expensive" link, exchanging data infrequently or on demand.
I found this thread in puppet-users but it doesn't describe how to set things up and doesn't describe which SSL certs are which.
ADDED More information: running puppet master gives this information:
# puppet master
Could not prepare for execution: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
If only I know where that certificate was. I feel certain that the old server configuration is interfering with the new installation but don't know how to remove the configuration.
Best Answer
I don't want to detract from anyone's possible answers - perhaps there is a cleaner way to achieve my goals.
Here is what I did: I removed everything in /var/lib/puppet:
Since I was using a package manager, I looked for files owned by any package in that directory - and there were none. For Debian and dpkg, that is done this way:
Since no packages were found that owned these files, this suggested that the files were created on the fly, and since /var/lib/puppet was owned by a package (puppet-common) I left the empty directory in place.
Then I ran puppetmaster (actually a mistake since passenger is to be used) and the appropriate files were all recreated. After stopping puppetmaster, configuring passenger, and configuring /etc/default/puppetmaster and "restarting" puppetmaster (which failed quietly) - everything seemed to be good again.
Running
puppet agentagainst the server pulled down the appropriate certs and made everything nice.