Converting puppet client to servr

[Bret Wortman]

Is there an easy way to convert a puppet client into being a puppet master?

Here's the scenario. I'm using puppet to configure all my systems, and would like it to be able to deploy a new puppet master as well. We have systems worldwide so having local puppet masters is very desirable for fault tolerance. So Kickstart (via cobbler) installs a puppet client during the initial system installation, then puppet installs everything else. And I've written a puppet-server module to attempt to deploy the puppet-server package, but I end up getting into certificate problems every time.

The initial cert draws complaints, so I delete it and clean the certificate from the master, but then the systems will not connect under any circumstances:

# puppet agent -t

Exiting: no certificate found and waitforcert is disabled

There's no request on the master (either this or the other).

Thoughts?

Puppet 3.0.1 from puppetlabs rpms on Fedora 17.

[Jakov Sosic]

You should deploy master through cobbler, or run masterless puppet to
set up the master.

[Bret Wortman]

Yeah, I was starting to think that was the solution. 

--
Bret Wortman
http://bretwortman.com/
http://twitter.com/bretwortman

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Luke Bigum]

On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote:

Yeah, I was starting to think that was the solution. 

That's not strictly necessary, you can install a Puppet Master with Puppet just fine, the problem you're running into is how to manage the Puppet CA across multiple Masters. This is not an easy problem to solve. If you start a master for the first time it will initialise it's own personal CA and certificate. This will conflict with the cert it got from the *other* master when it was installed and probably the cause of your connectivity problems. Also, your other agents won't be able to jump between masters because the CAs are different.

I would break the problem into these tasks:

- Decide on a centralised CA (a Puppet Master Master even) that you can generate other Puppet Master certificates from and give that cert the 'puppet' alias if you use it at your sites (puppet ca generate woof.hostname.com --dns-alt-names puppet)

- Figure out how to get this Cert and the Master CA onto your new Puppet Master instead of letting the Puppet Mater. NFS? HTTPS download? Package?

- Figure out how to share certificates between Puppet Masters so an Agent can check in to different Puppet Masters. Centralised CA? Multi-way rsync?

-Luke

[Bret Wortman]

Which files will I need to transfer to the new puppet master? 

/var/lib/puppet/ssl/ca/ca_crt.pem

/var/lib/puppet/ssl/certs/ca.pem

/var/lib/puppet/ssl/certs/woof.hostname.com.pem

We had been planning for a central "master master" anyway and it already has a dns alias for "puppet". Once I solve the distribution problem, I'll take on keeping these boxes in sync.

Bret Wortman

http://bretwortman.com/

http://twitter.com/BretWortman

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ.