I would like to set up an additional puppet master but have the CA server handled by only 1 puppet master. I have set this up as per the documentation here:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html
I have configured my second puppet master as follows:
[main]
...
ca = false
ca_server = puppet-master1.test.net
I am using passenger so I am a bit confused how the virtual-host.conf file should look for my second puppet-master2.test.net. Here is mine (updated as per Shane Maddens answer):
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby
Listen 8140
<VirtualHost *:8140>
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppet-master1.test.net:8140/$1
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet-master2.test.net.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet-master2.test.net.pem
#SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
#SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
#SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public/
RackBaseURI /
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I have commented out the #SSLCertificateChainFile, #SSLCACertificateFile & #SSLCARevocationFile – this is not a CA server so not sure I need this. How would I get passenger to work with these?
I would like to use ProxyPassMatch which I have configured as per the documentation. I don't want to specify a ca server in every puppet.conf file.
I am getting this error when trying to get create a cert from a puppet client pointing to the second puppet master server (puppet-master2.test.net):
[root@puppet-client2 ~]# puppet agent --test
Error: Could not request certificate: Could not intern from s: nested asn1 error
Exiting; failed to retrieve certificate and waitforcert is disabled
On the puppet client I have this
[main]
server = puppet-master2.test.net
What have I missed?
Cheers,
Oli
Best Answer
This part of the documentation..
..is actually wrong in several ways.
ProxyPassReversecan't take a regex (and isn't needed anyway), it's not actually using the requested URL in the request that's sent to the CA, and it can trigger unintentional proxying for non-certificate-related API calls for a node that hascertificatein its name.Instead, use this:
Put it inside your
<VirtualHost>block, and you can get rid of the<Proxy balancer://puppet_ca>.The error you're getting means that you're getting something other than a certificate back from the attempt to retrieve your certificate -- this could be caused by the configuration problem above, but might also be indicative of a different error. Get that config changed out, blow away your
/var/lib/puppet/sslon the client (since the certificate request probably failed too) and see if it's working - if not, add--verboseto a run and we'll see what's going on.