multiple puppetmasters, single ca

[ryan wallner]

HI all,

I am currently setting up a HA devops configuration using puppet. I want to be able to run a single puppet master as the CA and the rest act as peering puppet masters. I have each puppet master running on passenger and I am proxying the SSL requests to the CA server following:

http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic

http://docs.puppetlabs.com/guides/passenger.html

as a reference.

Watching the access.log on each master, when an agent requests a cert from a puppetmaster that is not the CA, I can see the request forwarded: (below)

.4 is the agent

.3 us the master proxying the request

puppetca is the acting CA for all masters

Here is the what logs in access.log for the puppetmaster that is NOT the CA.

ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"

Here is what logs in the master which IS the CA

puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 588 "-" "-"

Here is what I am receiving on the Agents end.

warning: peer certificate won't be verified in this SSL session

err: Could not request certificate: No content type in http response; cannot parse

Attached are the config files for the vhost for the masters, labeled CA and NONCA. Also attached are the config.ru for the rack app and httpd.conf whre the proxy balancer is specified.

Any help is appreciated. I just started debugging but feedback is appreciated if anyone has ideas.

-r

[Jeff McCune]

On Sun, Oct 28, 2012 at 9:53 PM, ryan wallner <walln...@gmail.com> wrote:

HI all,

I am currently setting up a HA devops configuration using puppet. I want to be able to run a single puppet master as the CA and the rest act as peering puppet masters. I have each puppet master running on passenger and I am proxying the SSL requests to the CA server following:

http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic

http://docs.puppetlabs.com/guides/passenger.html

as a reference.

Watching the access.log on each master, when an agent requests a cert from a puppetmaster that is not the CA, I can see the request forwarded: (below)

.4 is the agent

.3 us the master proxying the request

puppetca is the acting CA for all masters

Here is the what logs in access.log for the puppetmaster that is NOT the CA.

ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"

Here is what logs in the master which IS the CA

puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 588 "-" "-"

I notice you're running the CA on port 8140.  Are you running the CA back-end using SSL?  If so, you probably shouldn't be.

If you use TCP load balancing, then all of your back end workers will terminate the SSL connection.  If, however, your load balancer terminates the SSL connection, then your back end workers need to deal with plaintext HTTP.

I suspect the problem you're running into is that the service forwarding the request to the CA is not using a SSL certificate.

Alternatively, you could try changing BalancerMember http://puppetcamaster:8140 to BalancerMember https://puppetcamaster:8140 and see if that helps.  (Note the https).

-Jeff

[ryan wallner]

Jeff,

I wound up not having SSLProxyEngine On specified in my vhost. I made the additional change to http to https in the load balancer and this worked as well. 

Though, now I am having trouble getting the actual certificate from the CA, I can see the agent send the REST call to GET /production/etc... but when it reaches the CA it is looking in /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I am receiving a file does not exist error in the logs. Which makes sense, but should't this be look ing /var/lib/puppet (debian) or another directory.

Ultimately I want to set this up on SUSE 11 SP2, but wanted to get a feel for the config.

Thanks for you help,

Ryan

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

--
<R> 

Ryan Wallner

845.475.8684

@RyanWallner

rweb.meteor.com

aucouranton.com

[Jeff McCune]

On Friday, November 2, 2012, ryan wallner wrote:

Jeff,

I wound up not having SSLProxyEngine On specified in my vhost. I made the additional change to http to https in the load balancer and this worked as well. 

Though, now I am having trouble getting the actual certificate from the CA, I can see the agent send the REST call to GET /production/etc... but when it reaches the CA it is looking in /usr/share/puppet/rack/puppetmaster/production/certificate_requests. And I am receiving a file does not exist error in the logs. Which makes sense, but should't this be look ing /var/lib/puppet (debian) or another directory.

This sounds like the virtual host isn't configured to route the request to passenger and is instead serving up the response itself. I'd review the passenger configuration settings.

-Jeff