Re: [Puppet Users] multiple puppetmasters, 1 as the CA. Using passenger and mod_proxy
121 views
Skip to first unread message
Jason Wright
Oct 26, 2012, 4:44:21 PM10/26/12
to puppet...@googlegroups.com
We don't run that configuration on Corp Puppet servers; we change ca_server.
You may have better luck if you ask on puppet-users.
https://groups.google.com/forum/?fromgroups#!forum/puppet-users
Thanks,
Jason
On Fri, Oct 26, 2012 at 1:06 PM, ryan wallner <walln...@gmail.com> wrote:
>
> HI all,
>
> I am currently setting up a HA devops configuration using puppet. I want to be able to run a single puppet master as the CA and the rest act as peering puppet masters. I have each puppet master running on passenger and I am proxying the SSL requests to the CA server following:
>
> http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
> http://docs.puppetlabs.com/guides/passenger.html
>
> as a reference.
>
> Watching the access.log on each master, when an agent requests a cert from a puppetmaster that is not the CA, I can see the request forwarded: (below)
>
> .4 is the agent
> .3 us the master proxying the request
> puppetca is the acting CA for all masters
>
> Here is the what logs in access.log for the puppetmaster that is NOT the CA.
> ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"
>
> Here is what logs in the master which IS the CA
> puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 588 "-" "-"
>
> Here is what I am receiving on the Agents end.
> warning: peer certificate won't be verified in this SSL session
> err: Could not request certificate: No content type in http response; cannot parse
>
> Attached are the config files for the vhost for the masters, labeled CA and NONCA. Also attached are the config.ru for the rack app and httpd.conf whre the proxy balancer is specified.
>
> Any help is appreciated. I just started debugging but feedback is appreciated if anyone has ideas.
>
> -r
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/7ws4VMcUxE8J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
--
"Life was better when sun4m mattered." -Thom
You may have better luck if you ask on puppet-users.
https://groups.google.com/forum/?fromgroups#!forum/puppet-users
Thanks,
Jason
On Fri, Oct 26, 2012 at 1:06 PM, ryan wallner <walln...@gmail.com> wrote:
>
> HI all,
>
> I am currently setting up a HA devops configuration using puppet. I want to be able to run a single puppet master as the CA and the rest act as peering puppet masters. I have each puppet master running on passenger and I am proxying the SSL requests to the CA server following:
>
> http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-redirect-certificate-traffic
> http://docs.puppetlabs.com/guides/passenger.html
>
> as a reference.
>
> Watching the access.log on each master, when an agent requests a cert from a puppetmaster that is not the CA, I can see the request forwarded: (below)
>
> .4 is the agent
> .3 us the master proxying the request
> puppetca is the acting CA for all masters
>
> Here is the what logs in access.log for the puppetmaster that is NOT the CA.
> ubuntu-pupmaster1:8140 192.168.192.4 - - [26/Oct/2012:15:32:36 -0400] "GET /production/certificate/agent-hostname? HTTP/1.1" 200 2245 "-" "-"
>
> Here is what logs in the master which IS the CA
> puppetca:8140 192.168.192.3 - - [26/Oct/2012:15:32:33 -0400] "GET /" 400 588 "-" "-"
>
> Here is what I am receiving on the Agents end.
> warning: peer certificate won't be verified in this SSL session
> err: Could not request certificate: No content type in http response; cannot parse
>
> Attached are the config files for the vhost for the masters, labeled CA and NONCA. Also attached are the config.ru for the rack app and httpd.conf whre the proxy balancer is specified.
>
> Any help is appreciated. I just started debugging but feedback is appreciated if anyone has ideas.
>
> -r
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/7ws4VMcUxE8J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
--
"Life was better when sun4m mattered." -Thom
ryan wallner
Oct 29, 2012, 12:54:59 AM10/29/12
to puppet...@googlegroups.com
thanks Jason. Didn't realize I didn't post it as a new thread.
Have a good one.
Reply all
Reply to author
Forward
0 new messages