1

I'm setting up Puppetdb with SSL and having issues with certificates.

I'm using Nginx as an SSL proxy for Puppet, so my CA is managed by a mongrel server on this Nginx proxy machine.

If I generate a certificate for my Puppetdb URI using the CA on the Nginx machine, I'm able to setup the Puppetdb using the puppetlabs-puppetdb module (since the Puppet agent uses the proxy's CA), but then the Puppetmaster cannot connect to it, because it has its own CA certificate which is generates itself.

If I generate a certificate for the Puppetdb URI using one of the Puppetmasters, I cannot deploy the Puppetdb using the puppetlabs-puppetdb module since the Puppet agent doesn't use the same CA certificate.

What could I do to reconcile all this? Can I full turn off SSL on my puppetmasters (since SSL is managed by the Nginx proxy) and have them use the proxy's CA to connect to the Puppetdb?

raphink
  • 11,987
  • 6
  • 37
  • 48

1 Answers1

1

I was using a wrong setup for my puppetmasters, namely, letting them create their own CA in a separate directory. This link cleared it up. I now:

  • Use the same directory in agent and master mode (in my case, the standard /var/lib/puppet/ssl directory). This ensures that it uses the same CA for both modes;
  • Use ca=false on the puppetmaster (section master) so the puppetmaster won't complain about using another CA than his own;
  • Stop specifying certname= for puppetmasters and let them use the machine's name as done in agent mode.
raphink
  • 11,987
  • 6
  • 37
  • 48