How to chain puppet masters

puppetpuppetmaster

I have a Puppetmaster server A and a server B that is a Puppet client of A. I would like to setup server B to be a Puppetmaster itself and make server C be a Puppet client of server B. (Note: all servers are Debian squeeze.)

PM A <------ PM B <------ C
      client       client

I tried, but when I try to start puppetmaster on server B I get this error:

Could not prepare for execution: The certificate retrieved from the
master does not match the agent's private key.

Is this sort of chaining possible? If so, how?

Best Answer

In /etc/puppet.conf you need to specify the certs for server B as a server, and for server B as a client.

When starting puppetmasterd on serverB

puppetmasterd --no-daemonize --verbose --certname serverB_server

To create the client cert:

puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>

then conf file

========/etc/puppet.conf===========
[puppetmasterd]
  certname=serverB_server
  ca=true

[puppetd]
  certname=serverB_client
  ca_server=serverA

1. manually generate the certifcate for the master

puppet ca generate --dns_alt_names puppet [master-name/uuid/string/etc]

2. set dns_alt_names in puppet.conf

add dns_alt_names = puppet to the master (and the master only) before you run puppet master or puppet (causing the certs to be generated)

Now with an /etc/hosts or dns entry connecting to 'puppet' will work just fine.

The other error related to plugins is a bug about having pluginsync enabled but no plugins available to sync.

Best Answer

Related Solutions

Puppet – Migrating Puppet Clients to a New Puppet Master

Puppet Cert Mismatch – Resolving Issues in EC2

1. manually generate the certifcate for the master

2. set dns_alt_names in puppet.conf

Related Topic