I am currently setting up a HA devops configuration using puppet. I want to
be able to run a single puppet master as the CA and the rest act as peering
puppet masters. I have each puppet master running on passenger and I am
proxying the SSL requests to the CA server following:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
http://docs.puppetlabs.com/guides/passenger.html
as a reference.
Watching the access.log on each master, when an agent requests a cert from
a puppetmaster that is *not* the CA, I can see the request forwarded:
(below)
.4 is the agent
.3 us the master proxying the request
puppetca is the acting CA for all masters
*Here is the what logs in access.log for the puppetmaster that is NOT the
CA.*
ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET
/production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"
*Here is what logs in the master which IS the CA*
puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400
588 "-" "-"
*Here is what I am receiving on the Agents end.*
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: No content type in http response;
cannot parse
Attached are the config files for the vhost for the masters, labeled CA and
NONCA. Also attached are the config.ru for the rack app and httpd.conf whre
the proxy balancer is specified.
Any help is appreciated. I just started debugging but feedback is
appreciated if anyone has ideas.
-r
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dbVNeQUD-dIJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
