separate puppetmaster ca server
68 views
Skip to first unread message
Chris
Mar 28, 2014, 12:09:28 AM3/28/14
to puppet...@googlegroups.com
Hi,
I've been trying to set up a separate ca server for puppetmaster and
failing. I'm sure I've missed something but I'm not sure where to look.
server a is the puppetmaster:
[main]
ca_server = puppetmaster.puppet.local
[agent]
server = puppetmaster.puppet.local
[master]
ca=true
server b is the puppetmaster-client (slave puppetmaster):
[main]
ca_server = puppetmaster.puppet.local
server = puppetmaster.puppet.local
[agent]
<no server related settings>
[master]
ca=false
and finally server c is the puppet-client:
[main]
ca_server = puppetmaster.puppet.local
server = puppetmaster-client.puppet.local
[agent]
<no server related settings>
When I run 'puppet agent --test' on puppet-client, it generates a cert
which is then signed. The next run then hits puppetmaster-client. All
good so far.
However I never see another hit on puppetmaster at all.
If I shut down the daemon on puppetmaster, nothing complains. If I
revoke the certificate on puppetmaster, nothing complains.
If I change puppet-client config so:
[main]
server = puppetmaster.puppet.local
Then it does complain.
Using puppet 3.4.3 from puppetlabs rpm's.
Any help/suggestions etc would be fantastic.
Cheers,
Chris.
--
Postgresql & php tutorials
http://www.designmagick.com/
I've been trying to set up a separate ca server for puppetmaster and
failing. I'm sure I've missed something but I'm not sure where to look.
server a is the puppetmaster:
[main]
ca_server = puppetmaster.puppet.local
[agent]
server = puppetmaster.puppet.local
[master]
ca=true
server b is the puppetmaster-client (slave puppetmaster):
[main]
ca_server = puppetmaster.puppet.local
server = puppetmaster.puppet.local
[agent]
<no server related settings>
[master]
ca=false
and finally server c is the puppet-client:
[main]
ca_server = puppetmaster.puppet.local
server = puppetmaster-client.puppet.local
[agent]
<no server related settings>
When I run 'puppet agent --test' on puppet-client, it generates a cert
which is then signed. The next run then hits puppetmaster-client. All
good so far.
However I never see another hit on puppetmaster at all.
If I shut down the daemon on puppetmaster, nothing complains. If I
revoke the certificate on puppetmaster, nothing complains.
If I change puppet-client config so:
[main]
server = puppetmaster.puppet.local
Then it does complain.
Using puppet 3.4.3 from puppetlabs rpm's.
Any help/suggestions etc would be fantastic.
Cheers,
Chris.
--
Postgresql & php tutorials
http://www.designmagick.com/
Chris
Mar 30, 2014, 5:07:52 PM3/30/14
to puppet...@googlegroups.com
Hi,
Apologies if this appears twice, I couldn't see it show up in the archives.
Apologies if this appears twice, I couldn't see it show up in the archives.
Spencer Krum
Mar 30, 2014, 5:13:22 PM3/30/14
to puppet...@googlegroups.com
When you have a separate server providing the CA service, it is only contacted when a client first connects. After the client's cert is signed, the CA server does nothing. Does that make sense?
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/533887A8.7030104%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Spencer Krum
(619)-980-7820
Chris
Mar 30, 2014, 5:32:01 PM3/30/14
to puppet...@googlegroups.com
On 31/03/14 08:13, Spencer Krum wrote:
> When you have a separate server providing the CA service, it is only
> contacted when a client first connects. After the client's cert is
> signed, the CA server does nothing. Does that make sense?
Yes and no.
> When you have a separate server providing the CA service, it is only
> contacted when a client first connects. After the client's cert is
> signed, the CA server does nothing. Does that make sense?
Yes - I'm not missing something :)
No - I can't control client access with certificates. I thought it would
check the certificate was still valid.
Anyway, thanks for the info - much appreciated.
Spencer Krum
Mar 30, 2014, 5:48:07 PM3/30/14
to puppet...@googlegroups.com
The puppetmaster doing catalog compilation, puppetmaster-client in your case, does verify that the client cert is not in the CRL. However, you have to help it out a bit. For one, you need the puppetmaster-client to get the most recent CRL from the puppetmaster (the CA server) on a regular basis, often you can do this by running puppetmaster-client in agent mode against puppetmaster, but you could also have a cron job to sync the files. For two, in some cases you need to restart apache in order to re-read the CRL.
Hope this helps.
Spencer
Hope this helps.
Spencer
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53388D51.6010701%40gmail.com.
Chris
Mar 30, 2014, 7:53:24 PM3/30/14
to puppet...@googlegroups.com
On 31/03/14 08:48, Spencer Krum wrote:
> The puppetmaster doing catalog compilation, puppetmaster-client in your
> case, does verify that the client cert is not in the CRL. However, you
> have to help it out a bit. For one, you need the puppetmaster-client to
> get the most recent CRL from the puppetmaster (the CA server) on a
> regular basis, often you can do this by running puppetmaster-client in
> agent mode against puppetmaster, but you could also have a cron job to
> sync the files. For two, in some cases you need to restart apache in
> order to re-read the CRL.
Running `puppet agent` on puppetmaster-client worked, thanks. And yep,
> The puppetmaster doing catalog compilation, puppetmaster-client in your
> case, does verify that the client cert is not in the CRL. However, you
> have to help it out a bit. For one, you need the puppetmaster-client to
> get the most recent CRL from the puppetmaster (the CA server) on a
> regular basis, often you can do this by running puppetmaster-client in
> agent mode against puppetmaster, but you could also have a cron job to
> sync the files. For two, in some cases you need to restart apache in
> order to re-read the CRL.
after that I needed to restart the puppetmaster daemon on that server.
Thanks again.
Reply all
Reply to author
Forward
0 new messages