2

I have a Puppetmaster server A and a server B that is a Puppet client of A. I would like to setup server B to be a Puppetmaster itself and make server C be a Puppet client of server B. (Note: all servers are Debian squeeze.)

PM A <------ PM B <------ C
      client       client

I tried, but when I try to start puppetmaster on server B I get this error:

Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.

Is this sort of chaining possible? If so, how?

user35042
  • 2,681
  • 12
  • 34
  • 60
  • 1
    When you start `puppet master`, the first thing it does is generate a new set of certs for itself. Also, why you want to do this master-slave-subslave setup anyway? – qweet Jun 15 '12 at 17:55
  • 2
    I am tempted to believe that you could create two separate puppet configuration files, which specify different state/data directories. Then have one config be for your running server, and the second called by the agent process to the other server. Not exactly sure about all the details though. – Zoredache Jun 15 '12 at 18:06
  • 1
    "Why?" A Puppetmaster can easily be a client of itself. – Michuelnik Jul 12 '12 at 07:55
  • @Michuelnik, to answer why, you might want this to build a hierarchy. So image I work at a given organization and am hired to assist in the management of systems at a completely separate organization. I want to push some settings to a server under that separate organizations control, and also give them the ability perform some management internally. – Zoredache Jul 18 '12 at 18:16
  • @Zoredache: Perhaps I do not quite understand, but this seems to me, that you want to maintain separate puppet environments. I could imagine better tools for pushing these changes to (different?) puppet servers than puppet since you do not have to configure much but instead push your modules/manifests? I would use svn or git or rsync for this? – Michuelnik Jul 19 '12 at 05:42

2 Answers2

2

In /etc/puppet.conf you need to specify the certs for server B as a server, and for server B as a client.

When starting puppetmasterd on serverB

puppetmasterd --no-daemonize --verbose --certname serverB_server

To create the client cert:

puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>

then conf file

========/etc/puppet.conf===========
[puppetmasterd]
  certname=serverB_server
  ca=true

[puppetd]
  certname=serverB_client
  ca_server=serverA
Sirch
  • 5,785
  • 4
  • 20
  • 36
  • Have you actually tested this? This just seems to give me lots of certificate errors about the master not matching the agents private key. – Zoredache Jul 18 '12 at 17:55
  • Yes, but not from the package debian package, but from the puppet installer, Ive never had problems keeping client certs apart from its server certs. Use this model for multi master configs. – Sirch Jul 18 '12 at 22:16
  • I tried your suggestion but am getting the same "The certificate retrieved from the master does not match the agent's private key." errors when starting the puppetmaster daemon on server B as Zoredache seems to be getting. Be aware that I want server B to act as its clients CA. This is not the same as multi master setups. – user35042 Jul 26 '12 at 16:50
1

The setup that seemed to be straight forward and work on a Debian/Ubuntu host was to simply setup a separate configuration files and directory. This is for webrick, not sure what you need to do for passenger.

Create a confdir for the master mkdir -p /etc/puppetmaster/

Update the /etc/default/puppetmaster

--- a/default/puppetmaster
+++ b/default/puppetmaster
@@ -4,4 +4,4 @@
 START=yes

 # Startup options.
-DAEMON_OPTS=""
+DAEMON_OPTS="--confdir=/etc/puppetmaster/"

Create a puppet.conf file in /etc/puppetmaster/ for the master.

[main]
logdir=/var/log/puppetmaster
vardir=/var/lib/puppetmaster
ssldir=/var/lib/puppetmaster/ssl
rundir=/var/run/puppetmaster
factpath=$vardir/lib/facter
templatedir=$confdir/templates
# pluginsync = true
certname=submaster.example.org
Zoredache
  • 130,897
  • 41
  • 276
  • 420