FAQ
HI all,

I am currently setting up a HA devops configuration using puppet. I want to
be able to run a single puppet master as the CA and the rest act as peering
puppet masters. I have each puppet master running on passenger and I am
proxying the SSL requests to the CA server following:

http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
http://docs.puppetlabs.com/guides/passenger.html

as a reference.

Watching the access.log on each master, when an agent requests a cert from
a puppetmaster that is *not* the CA, I can see the request forwarded:
(below)

.4 is the agent
.3 us the master proxying the request
puppetca is the acting CA for all masters

*Here is the what logs in access.log for the puppetmaster that is NOT the
CA.*
ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET
/production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"

*Here is what logs in the master which IS the CA*
puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400
588 "-" "-"

*Here is what I am receiving on the Agents end.*
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: No content type in http response;
cannot parse

Attached are the config files for the vhost for the masters, labeled CA and
NONCA. Also attached are the config.ru for the rack app and httpd.conf whre
the proxy balancer is specified.

Any help is appreciated. I just started debugging but feedback is
appreciated if anyone has ideas.

-r

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dbVNeQUD-dIJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jeff McCune at Oct 29, 2012 at 4:16 pm

    On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner wrote:

    HI all,

    I am currently setting up a HA devops configuration using puppet. I want
    to be able to run a single puppet master as the CA and the rest act as
    peering puppet masters. I have each puppet master running on passenger and
    I am proxying the SSL requests to the CA server following:

    http://docs.puppetlabs.com/**guides/scaling_multiple_**
    masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic>
    http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html>

    as a reference.

    Watching the access.log on each master, when an agent requests a cert from
    a puppetmaster that is *not* the CA, I can see the request forwarded:
    (below)

    .4 is the agent
    .3 us the master proxying the request
    puppetca is the acting CA for all masters
    *Here is the what logs in access.log for the puppetmaster that is NOT the
    CA.*
    ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET
    /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-"

    *Here is what logs in the master which IS the CA*
    puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400
    588 "-" "-"
    I notice you're running the CA on port 8140. Are you running the CA
    back-end using SSL? If so, you probably shouldn't be.

    If you use TCP load balancing, then all of your back end workers will
    terminate the SSL connection. If, however, your load balancer terminates
    the SSL connection, then your back end workers need to deal with plaintext
    HTTP.

    I suspect the problem you're running into is that the service forwarding
    the request to the CA is not using a SSL certificate.

    Alternatively, you could try changing BalancerMember
    http://puppetcamaster:8140 to BalancerMember
    https://puppetcamaster:8140and see if that helps. (Note the https).

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Ryan wallner at Nov 2, 2012 at 6:38 pm
    Jeff,

    I wound up not having SSLProxyEngine On specified in my vhost. I made the
    additional change to http to https in the load balancer and this worked as
    well.

    Though, now I am having trouble getting the actual certificate from the CA,
    I can see the agent send the REST call to GET /production/etc... but when
    it reaches the CA it is looking in
    /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I
    am receiving a file does not exist error in the logs. Which makes sense,
    but should't this be look ing /var/lib/puppet (debian) or another directory.

    Ultimately I want to set this up on SUSE 11 SP2, but wanted to get a feel
    for the config.

    Thanks for you help,
    Ryan

    On Mon, Oct 29, 2012 at 12:15 PM, Jeff McCune wrote:
    On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner wrote:

    HI all,

    I am currently setting up a HA devops configuration using puppet. I want
    to be able to run a single puppet master as the CA and the rest act as
    peering puppet masters. I have each puppet master running on passenger and
    I am proxying the SSL requests to the CA server following:

    http://docs.puppetlabs.com/**guides/scaling_multiple_**
    masters.html#option-2-**redirect-certificate-traffic<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic>
    http://docs.puppetlabs.com/**guides/passenger.html<http://docs.puppetlabs.com/guides/passenger.html>

    as a reference.

    Watching the access.log on each master, when an agent requests a cert
    from a puppetmaster that is *not* the CA, I can see the
    request forwarded: (below)

    .4 is the agent
    .3 us the master proxying the request
    puppetca is the acting CA for all masters
    *Here is the what logs in access.log for the puppetmaster that is NOT
    the CA.*
    ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400]
    "GET /production/certificate/agent-**hostname? HTTP/1.1" 200 2245 "-" "-"

    *Here is what logs in the master which IS the CA*
    puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400
    588 "-" "-"
    I notice you're running the CA on port 8140. Are you running the CA
    back-end using SSL? If so, you probably shouldn't be.

    If you use TCP load balancing, then all of your back end workers will
    terminate the SSL connection. If, however, your load balancer terminates
    the SSL connection, then your back end workers need to deal with plaintext
    HTTP.

    I suspect the problem you're running into is that the service forwarding
    the request to the CA is not using a SSL certificate.

    Alternatively, you could try changing BalancerMember
    http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140and see if that helps. (Note the https).

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.


    --
    *<R> *
    *Ryan Wallner*
    *845.475.8684*
    *@RyanWallner**
    *
    *rweb.meteor.com*
    aucouranton.com

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jeff McCune at Nov 2, 2012 at 9:21 pm

    On Friday, November 2, 2012, ryan wallner wrote:

    Jeff,

    I wound up not having SSLProxyEngine On specified in my vhost. I made the
    additional change to http to https in the load balancer and this worked as
    well.

    Though, now I am having trouble getting the actual certificate from the
    CA, I can see the agent send the REST call to GET /production/etc... but
    when it reaches the CA it is looking in
    /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I
    am receiving a file does not exist error in the logs. Which makes sense,
    but should't this be look ing /var/lib/puppet (debian) or another directory.
    This sounds like the virtual host isn't configured to route the request to
    passenger and is instead serving up the response itself. I'd review the
    passenger configuration settings.

    -Jeff

    >

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 29, '12 at 4:53a
activeNov 2, '12 at 9:21p
posts4
users2
websitepuppetlabs.com

2 users in discussion

Jeff McCune: 2 posts Ryan wallner: 2 posts

People

Translate

site design / logo © 2022 Grokbase