puppet. My main departure is that I'm using an F5 rather than an apache
load balancer. Namely, I want to have my puppet agents go through the F5
to a pool of "master only" systems, and any Certificate activity to get
proxied by those masters through to one single Certificate Authority. That
CA system is not part of the F5 pool, it's role is to provide CA, Puppetdb
and Postgresql. It is configured as a master because that was the easiest
way to get a CA stood up, but I don't intend to use it as a master in
normal operation (and in fact I don't plan to have it hosting any modules).
I'm using RHEL 6, Apache, and Passenger, and Open Source Puppet.
I initially set up passenger using puppetlabs/passenger from the Forge,
(which got me most of the way there but not fully configured). All of
these steps worked fine for the CA system to configure it as a working
master (I have tested by registering systems with it, but then done puppet
cert clean and wiped the test systems' ssl directories).
I then set up my first master-only system the same way, except I didn't
actually start the master service (as the docs say) until after I had set
ca = false and ca_server = $MY_CA_SERVER into /etc/puppet.conf. I also
made the necessary changes listed at
the certificate access on the CA system, the SSLProxyEngine on and
ProxyPassMatch lines in the VHost definition in
/etc/httpd/conf.d/puppetmaster.conf. I'm positive I followed all the steps
in the docs in order, but I'm not having any luck with external agents.
If I run puppet agent -t on the master-only system (with it's "server" in
puppet.conf set to itself) it works fine--it can talk to the CA and talk to
itself, and all is right with the world.
If I run puppet agent -t on a client host, pointing at the load balancer's
address (or even pointing direclty at the master-only system's real
hostname), I get:
[root@elmer ~]# puppet agent -t
Info: Creating a new SSL key for elmer.allstate.com
Error: Could not request certificate: Error 400 on SERVER: this master is
not a CA
Exiting; failed to retrieve certificate and waitforcert is disabled
I've looked at the logs, enabled debug logging in the webserver with
LogLevel, dug around everywhere I can think of, and I see no sign of any
actual proxying going on. tcpdump certainly shows no attempt by the
master-only system to contact the CA.
What it LOOKS like is happening is that apache is not actually proxying
anything, the request gets passed to the puppet master app running under
passenger, and it (rightly) says "I'm not a CA" because
/etc/puppet/puppet.conf says so.
I do not see any errors in the logs about proxy attempts failing for this
agent. I do see workers being attached for proxy purposes:
[Tue Oct 01 13:48:26 2013] [debug] proxy_util.c(1833): proxy: grabbed
scoreboard slot 0 in child 27434 for worker
[Tue Oct 01 13:48:26 2013] [debug] proxy_util.c(1852): proxy: worker
https://caserver.allstate.com:8140/$1 already initialized
[Tue Oct 01 13:48:26 2013] [debug] proxy_util.c(1949): proxy: initialized
single connection worker 0 in child 27434 for caserver.allstate.com)
I've repeatedly re-checked the settings in /etc/puppet.conf
/etc/httpd/conf.d/passenger.conf, /et/chttpd/conf.d/puppetmaster.conf etc
against the documentation and I am not seeing any errors.
This seems like I have to be overlooking something really basic, and I'm
going to feel stupid when I find it, but it's right in my critical path
right now and I can't see it. Anyone have any suggestions? I can provide
config files and log files if need be, but I'm trying to avoid all the
redacting I'd need to do (my server is not literally named "caserver" etc).
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To post to this group, send email to firstname.lastname@example.org.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.