puppetdb failover - implement ca self signed

[Nerbolff]

Hello everyone. for security reasons. we decided to get 2 puppetdb servers up and running. there will be a setup with master and slave.

We thought of using our load balancer to perform this operation. So we need a cname with a valid self-generated certificate. ie:   puppetdb.internet.net

 

Here's how I think I'm going to achieve it: 

• I generated my puppetdb cert via the puppetca:

$ sudo puppetserver ca generate --certname puppetdb.internet.net

Successfully saved private key for puppetdb.internet.net to /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem

Successfully saved public key for puppetdb.internet.net to /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem

Successfully submitted certificate request for puppetdb.internet.net

Error:

    Signed certificate puppetdb.internet.net could not be found on the CA

Successfully signed certificate request for puppetdb.internet.net

Successfully saved certificate for puppetdb.internet.net to /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem

Then I copied over the freshly selfsigned cert from puppetca to puppetDB.

 I changed the /etc/puppetlabs/puppetdb/conf.d/jetty.ini like this : 

ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem

ssl-cert = /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem

ssl-ca-cert = /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem

restarting my puppetdb, I get an error about certification implementation.  error is not clear. java errors

At the end,  my goal is to start puppetdb with the certificate puppetdb.internet.net loaded. then the puppetmaster didn't complain about the puppetca certificate. 

Does someone have any idea?

Thanks.

[comport3]

You will need to enable DNS alt names in your CA config, and issue a few names per server - likely including a common one shared by all nodes such as "puppetdb.domain.example".

https://puppet.com/docs/puppetserver/6.12.2/scaling_puppet_server.html => dns_alt_names

Then you'll need to go through the steps to (re)configure your PuppetDB SSL setup. This is usually replacing the 'ssl-key', 'ssl-cert' and 'ssl-ca-cert' defined in your jetty.ini config.

On my local setup this is located under /etc/puppetlabs/puppetdb/ssl/, use the same permissions as the old setup, then restart the 'puppetdb' services.

[Renato]

hello ,your steps helped me a lot. I am able to create a failover. now. 
Thank you very much !

--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/qvLBVR1wlzs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/942f949f-afb8-4fda-8e2b-3ab9cb731095n%40googlegroups.com.