FAQ
Is there an easy way to convert a puppet client into being a puppet master?

Here's the scenario. I'm using puppet to configure all my systems, and
would like it to be able to deploy a new puppet master as well. We have
systems worldwide so having local puppet masters is very desirable for
fault tolerance. So Kickstart (via cobbler) installs a puppet client during
the initial system installation, then puppet installs everything else. And
I've written a puppet-server module to attempt to deploy the puppet-server
package, but I end up getting into certificate problems every time.

The initial cert draws complaints, so I delete it and clean the certificate
from the master, but then the systems will not connect under any
circumstances:

# puppet agent -t
Exiting: no certificate found and waitforcert is disabled

There's no request on the master (either this or the other).

Thoughts?

Puppet 3.0.1 from puppetlabs rpms on Fedora 17.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VR0FzMXrsPkJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jakov Sosic at Dec 12, 2012 at 10:33 pm

    On 12/12/2012 10:04 PM, Bret Wortman wrote:
    Is there an easy way to convert a puppet client into being a puppet master?

    Here's the scenario. I'm using puppet to configure all my systems, and
    would like it to be able to deploy a new puppet master as well. We have
    systems worldwide so having local puppet masters is very desirable for
    fault tolerance. So Kickstart (via cobbler) installs a puppet client
    during the initial system installation, then puppet installs everything
    else. And I've written a puppet-server module to attempt to deploy the
    puppet-server package, but I end up getting into certificate problems
    every time.

    The initial cert draws complaints, so I delete it and clean the
    certificate from the master, but then the systems will not connect under
    any circumstances:

    # puppet agent -t
    Exiting: no certificate found and waitforcert is disabled

    There's no request on the master (either this or the other).

    Thoughts?
    You should deploy master through cobbler, or run masterless puppet to
    set up the master.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Bret Wortman at Dec 12, 2012 at 10:43 pm
    Yeah, I was starting to think that was the solution.


    --
    Bret Wortman
    http://bretwortman.com/
    http://twitter.com/bretwortman

    On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote:
    On 12/12/2012 10:04 PM, Bret Wortman wrote:
    Is there an easy way to convert a puppet client into being a puppet master?

    Here's the scenario. I'm using puppet to configure all my systems, and
    would like it to be able to deploy a new puppet master as well. We have
    systems worldwide so having local puppet masters is very desirable for
    fault tolerance. So Kickstart (via cobbler) installs a puppet client
    during the initial system installation, then puppet installs everything
    else. And I've written a puppet-server module to attempt to deploy the
    puppet-server package, but I end up getting into certificate problems
    every time.

    The initial cert draws complaints, so I delete it and clean the
    certificate from the master, but then the systems will not connect under
    any circumstances:

    # puppet agent -t
    Exiting: no certificate found and waitforcert is disabled

    There's no request on the master (either this or the other).

    Thoughts?
    You should deploy master through cobbler, or run masterless puppet to
    set up the master.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Luke Bigum at Dec 13, 2012 at 10:23 am

    On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote:

    Yeah, I was starting to think that was the solution.
    That's not strictly necessary, you can install a Puppet Master with Puppet
    just fine, the problem you're running into is how to manage the Puppet CA
    across multiple Masters. This is not an easy problem to solve. If you start
    a master for the first time it will initialise it's own personal CA and
    certificate. This will conflict with the cert it got from the *other*
    master when it was installed and probably the cause of your connectivity
    problems. Also, your other agents won't be able to jump between masters
    because the CAs are different.

    I would break the problem into these tasks:

    - Decide on a centralised CA (a Puppet Master Master even) that you can
    generate other Puppet Master certificates from and give that cert the
    'puppet' alias if you use it at your sites (puppet ca generate
    woof.hostname.com --dns-alt-names puppet)
    - Figure out how to get this Cert and the Master CA onto your new Puppet
    Master instead of letting the Puppet Mater. NFS? HTTPS download? Package?
    - Figure out how to share certificates between Puppet Masters so an Agent
    can check in to different Puppet Masters. Centralised CA? Multi-way rsync?

    -Luke

    --
    Bret Wortman
    http://bretwortman.com/
    http://twitter.com/bretwortman

    On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote:

    On 12/12/2012 10:04 PM, Bret Wortman wrote:

    Is there an easy way to convert a puppet client into being a puppet master?

    Here's the scenario. I'm using puppet to configure all my systems, and
    would like it to be able to deploy a new puppet master as well. We have
    systems worldwide so having local puppet masters is very desirable for
    fault tolerance. So Kickstart (via cobbler) installs a puppet client
    during the initial system installation, then puppet installs everything
    else. And I've written a puppet-server module to attempt to deploy the
    puppet-server package, but I end up getting into certificate problems
    every time.

    The initial cert draws complaints, so I delete it and clean the
    certificate from the master, but then the systems will not connect under
    any circumstances:

    # puppet agent -t
    Exiting: no certificate found and waitforcert is disabled

    There's no request on the master (either this or the other).

    Thoughts?


    You should deploy master through cobbler, or run masterless puppet to
    set up the master.

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet...@googlegroups.com<javascript:>
    .
    To unsubscribe from this group, send email to
    puppet-users...@googlegroups.com <javascript:>.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Bret Wortman at Dec 13, 2012 at 5:17 pm
    Which files will I need to transfer to the new puppet master?

    /var/lib/puppet/ssl/ca/ca_crt.pem
    /var/lib/puppet/ssl/certs/ca.pem
    /var/lib/puppet/ssl/certs/woof.hostname.com.pem

    We had been planning for a central "master master" anyway and it already
    has a dns alias for "puppet". Once I solve the distribution problem, I'll
    take on keeping these boxes in sync.

    *
    *
    *

    Bret Wortman***
    http://bretwortman.com/
    http://twitter.com/BretWortman



    On Thu, Dec 13, 2012 at 5:15 AM, Luke Bigum wrote:
    On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote:

    Yeah, I was starting to think that was the solution.
    That's not strictly necessary, you can install a Puppet Master with Puppet
    just fine, the problem you're running into is how to manage the Puppet CA
    across multiple Masters. This is not an easy problem to solve. If you start
    a master for the first time it will initialise it's own personal CA and
    certificate. This will conflict with the cert it got from the *other*
    master when it was installed and probably the cause of your connectivity
    problems. Also, your other agents won't be able to jump between masters
    because the CAs are different.

    I would break the problem into these tasks:

    - Decide on a centralised CA (a Puppet Master Master even) that you can
    generate other Puppet Master certificates from and give that cert the
    'puppet' alias if you use it at your sites (puppet ca generate
    woof.hostname.com --dns-alt-names puppet)
    - Figure out how to get this Cert and the Master CA onto your new Puppet
    Master instead of letting the Puppet Mater. NFS? HTTPS download? Package?
    - Figure out how to share certificates between Puppet Masters so an Agent
    can check in to different Puppet Masters. Centralised CA? Multi-way rsync?

    -Luke

    --
    Bret Wortman
    http://bretwortman.com/
    http://twitter.com/bretwortman

    On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote:

    On 12/12/2012 10:04 PM, Bret Wortman wrote:

    Is there an easy way to convert a puppet client into being a puppet
    master?

    Here's the scenario. I'm using puppet to configure all my systems, and
    would like it to be able to deploy a new puppet master as well. We have
    systems worldwide so having local puppet masters is very desirable for
    fault tolerance. So Kickstart (via cobbler) installs a puppet client
    during the initial system installation, then puppet installs everything
    else. And I've written a puppet-server module to attempt to deploy the
    puppet-server package, but I end up getting into certificate problems
    every time.

    The initial cert draws complaints, so I delete it and clean the
    certificate from the master, but then the systems will not connect under
    any circumstances:

    # puppet agent -t
    Exiting: no certificate found and waitforcert is disabled

    There's no request on the master (either this or the other).

    Thoughts?


    You should deploy master through cobbler, or run masterless puppet to
    set up the master.

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet...@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users...@**
    googlegroups.com.
    For more options, visit this group at http://groups.google.com/**
    group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
    .


    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ.

    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedDec 12, '12 at 9:04p
activeDec 13, '12 at 5:17p
posts5
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase