FAQ
I'm trying to set up a multi-tier Puppet Master configuration. A
top-level Puppet Master serves subordinate Puppet Masters, which in
turn serve the nodes. The top-level Master is also the Certificate
Authority for the entire infrastructure.

I'm using RHEL 6.1, Puppet 2.7.14, and mod_passenger.

I built the top-level Master without problems. I then built four
subordinate Masters. In the puppet.conf for each subordinate Master, I
added:
dns_alt_names = 'hostX.domain,puppetmaster,puppetmaster.domain'
(where hostX.domain is the FQDN of the server on which I was working)

First execution of `puppet agent --test` on each subordinate Master told me:

err: Could not request certificate: Error 400 on SERVER: CSR
'host.domain' contains subject alternative names
(DNS:puppetmaster.domain,
DNS:hostX.domain), which are disallowed. Use `puppet cert
--allow-dns-alt-names sign hostX.domain` to sign this request.
Exiting; failed to retrieve certificate and waitforcert is disabled

On the top-level Master I executed the command as instructed. Next
execution of `puppet agent --test` from the subordinate Master
retrieved the signed certificate. Each subordinate Master can connect
to the top-level Master without error.

On each subordinate Master I next setup mod_passenger, so that these
hosts could server my Puppet clients.

I built a test client, and from the top-level Puppet Master I ran
`puppet cert generate test.domain`. I installed the generated files
onto the test machine. However, this test client is unable to connect
to any of the subordinate Masters. I get the following error:

Could not prepare for execution: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: CD:2C:44:54:40:B3:8A:A1:30:73:49:95:95:12:CD:54
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
puppet cert clean hostX.domain
On the agent:
rm -f /var/lib/puppet/ssl/certs/hostX.domain
puppet agent -t

All four of my subordinate Puppet Masters yield the same error message
when the test node connects. What's more, all four of them display the
same certificate fingerprint. There error isn't a Puppet client
problem, because I get the same error when I run `openssl s_client
-connect hostX.domain:8140 -status`.

Each subordinate Master is using an /etc/httpd/conf.d/puppet.conf file
that looks like this:
Listen 8140
<VirtualHost *:8140>
ErrorLog /var/log/httpd/puppet_error.log
LogLevel warn
CustomLog /var/log/httpd/puppet_access.log combined
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/hostX.domain.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/hostX.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# CRL checking should be enabled
# disable next line if Apache complains about CRL
#SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, required if certificates
distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

# The following client headers record authentication information
for down stream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On
DocumentRoot /etc/puppet/rack/puppetmaster/public/
<Directory /etc/puppet/rack/puppetmaster/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Again, "hostX.domain" is the FQDN of each individual server.

I'm quite sure the solution is something simple, and I'm just not
seeing it. I'd appreciate a nudge in the right direction.

Thanks,
Scott

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 16 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a
posts16
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase