puppetmaster + hearbeat + mon
40 views
Skip to first unread message
Vassiliy Vins
Jan 27, 2014, 12:59:13 PM1/27/14
to puppet...@googlegroups.com
Hi!
2 puppetmasters and 1 client installed on VMware. I'm using puppetversion 3.4.2 on all 3 hosts
2 pupetmasters, one as primary (hostname =puppetserver.ops.ss) , second (hostname=puppetslave) as secondary, client (hostname=client.ops.ss). High availability and all other steps - exactly as described on this link http://projects.puppetlabs.com/projects/1/wiki/High_Availability_Patterns
2 puppetmasters + 1 client in 192.168.1.x network
2 puppetmasters connected via 10.0.0.x network for heartbeat purposes. ( primary 10.0.0.1, secondary 10.0.0.2, redundant IP 192.168.1.200)
heartbeat works
I moved ca_crl.pem to secondary puppetmaster according to link above.
primary puppetmaster
/etc/hosts
127.0.0.1 puppetserver
192.168.1.20 client
192.168.1.30 puppetslave
puppet.conf
all defaults , only added in
[main]
ca =true
secondary puppetmaster
/etc/hosts
127.0.0.1 puppetslave
192.168.1.20 client
192.168.1.10 puppetserver.ops.ss
puppet.conf
[main]
server = puppetserver.ops.ss
listen = true
ca = false
ca_server = puppetserver.ops.ss
client
/etc/hosts
127.0.0.1 client
192.168.1.200 puppetserver.ops.ss
puppet.conf
[main]
server = puppetserver.ops.ss
listen = true
Client machine gets certificate and puppet works with primary puppetmaster - no problem at all.
Now I stop primary puppetmaster, wait for secondary takes 192.168.1.200 redundant ip and trying on client machine:
#puppet agent --server puppetserver.ops.ss --waitforcert 45 --test --verbose
trying to get certificate from secondary puppetmaster for testing purposes.
And I got respond :
Could not retrieve catalog from remote server: Server hostname 'puppetserver.ops.ss' did not match server certificate; expected puppetslave
Could you help me with the problem? What's wrong?
#openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster
gives CN=Puppet CA:puppetserver.ops.ss
in my understanding secondary puppetmaster shoud send respond as primary one ("puppetserver.ops.ss"), when first one is dead
and actually it does, why client does not accept it?
Thank you for your help
2 puppetmasters and 1 client installed on VMware. I'm using puppetversion 3.4.2 on all 3 hosts
2 pupetmasters, one as primary (hostname =puppetserver.ops.ss) , second (hostname=puppetslave) as secondary, client (hostname=client.ops.ss). High availability and all other steps - exactly as described on this link http://projects.puppetlabs.com/projects/1/wiki/High_Availability_Patterns
2 puppetmasters + 1 client in 192.168.1.x network
2 puppetmasters connected via 10.0.0.x network for heartbeat purposes. ( primary 10.0.0.1, secondary 10.0.0.2, redundant IP 192.168.1.200)
heartbeat works
I moved ca_crl.pem to secondary puppetmaster according to link above.
primary puppetmaster
/etc/hosts
127.0.0.1 puppetserver
192.168.1.20 client
192.168.1.30 puppetslave
puppet.conf
all defaults , only added in
[main]
ca =true
secondary puppetmaster
/etc/hosts
127.0.0.1 puppetslave
192.168.1.20 client
192.168.1.10 puppetserver.ops.ss
puppet.conf
[main]
server = puppetserver.ops.ss
listen = true
ca = false
ca_server = puppetserver.ops.ss
client
/etc/hosts
127.0.0.1 client
192.168.1.200 puppetserver.ops.ss
puppet.conf
[main]
server = puppetserver.ops.ss
listen = true
Client machine gets certificate and puppet works with primary puppetmaster - no problem at all.
Now I stop primary puppetmaster, wait for secondary takes 192.168.1.200 redundant ip and trying on client machine:
#puppet agent --server puppetserver.ops.ss --waitforcert 45 --test --verbose
trying to get certificate from secondary puppetmaster for testing purposes.
And I got respond :
Could not retrieve catalog from remote server: Server hostname 'puppetserver.ops.ss' did not match server certificate; expected puppetslave
Could you help me with the problem? What's wrong?
#openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster
gives CN=Puppet CA:puppetserver.ops.ss
in my understanding secondary puppetmaster shoud send respond as primary one ("puppetserver.ops.ss"), when first one is dead
and actually it does, why client does not accept it?
Thank you for your help
Felix Frank
Feb 7, 2014, 4:40:24 AM2/7/14
to puppet...@googlegroups.com
Hi,
good thinking, but the CA certificate is not used when accepting SSL
connections (or it shouldn't be, as far as I'm concerned).
You can determine the certificate that is presented using
openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is
your masterport).
You may need to share the server cert among your masters, not only the
CA cert.
HTH,
Felix
good thinking, but the CA certificate is not used when accepting SSL
connections (or it shouldn't be, as far as I'm concerned).
You can determine the certificate that is presented using
openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is
your masterport).
You may need to share the server cert among your masters, not only the
CA cert.
HTH,
Felix
vassiliy vins
Feb 7, 2014, 8:51:42 AM2/7/14
to puppet...@googlegroups.com
Thnx, Felix
I'll try today
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/WpkKz80Jxn4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F4AA08.8010503%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages