Puppet Inventory Service

[Christopher Johnston]

I have multiple masters (40+) that reside in remote locations, I want to have them send puppet inventory data to a central inventory with mysql.   Once the data is there I would like puppet dashboard installation use that data.  I have not been able to get the remote masters to send their data back to the central server.

I keep getting an error:

err: Could not retrieve catalog from remote server: Error 400 on eth0: certificate verify failed.  This is often because the time is out of sync on the server or client

On the remote inventory server node I am seeing an SSL error, SSL is being used to authenticate the nodes in order to send the inventory data to the remote inventory server?

-Chris

[Christopher Johnston]

Puppet dev can help?  I modified auth.conf and it did not seem to help.

[Nan Liu]

Is the inventory server certificate sign by the same CA as the remote masters?

puppet cert -p inventory_server_cert
...
Issuer: CN=Puppet CA ...

puppet master --configprint certname
puppet_master_cert
puppet cert -p puppet_master_cert
...
Issuer: CN=Puppet CA ...

The puppet_master_cert listed above should be in auth.conf as
specified in this doc:
http://docs.puppetlabs.com/pe/1.2/upgrading.html

Specifically:
# Allow puppet master to save facts to the inventory:
path /facts
auth yes
method save
allow <puppet master's certname>

Thanks,

Nan

[Christopher Johnston]

So in my auth.conf I have this currently (below), which I think is supposed to say allow any traffic in from any master I guess I could put those hostnames in for the puppet hosts with something like puppet*.company.com.  Do I require SSL auth here?  I am just sending inventory information to a designated node which is mostly being used for RO (informational) data so security is not as critical.  

If it is a requirement that I have a signed CA, that could be an issue as I have two puppet masters in each datacenter that has its own shared CA across those two puppet masters only (certname = puppet).  I don't have one signed CA that every master is using.  

path /facts

auth any

method save

allow *

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Nan Liu]

On Wed, Jan 4, 2012 at 11:31 AM, Christopher Johnston
<chjo...@gmail.com> wrote:
> If it is a requirement that I have a signed CA, that could be an issue as I
> have two puppet masters in each datacenter that has its own shared CA across
> those two puppet masters only (certname = puppet).  I don't have one signed
> CA that every master is using.

You don't need a signed CA, but rather the two servers certs are
signed by the same CA, which is the reason for verifying issuer match.
If your inventory server is also a puppet master, might be easier to
get that system working first before trying a remote puppet master.

Thanks,

Nan

[Christopher Johnston]

My inventory server is a puppetmaster, but its master of itself and is only being using for inventory services.  If I point new clients to it will work fine.    

So think of my setup like this:

puppet1.company.com and puppet2.company.com are two dedicated servers in each datacenter that handle local client connectivity only.  By using certname=puppet I can copy the same CA to puppet2.company.com and support failing over if the primary server goes down.  This setup is mimic'ed in about 20 other sites.

The inventory server is a remote puppet master sitting in a backoffice datacenter that is setup with mysql and puppet dashboard to receive reports and inventory services from all 40 of the masters. 

So with this current arrangement how would I go about making sure the inventory server has a cert that is signed by the 40 other CAs. 

Thanks,

Nan

[Nan Liu]

On Wed, Jan 4, 2012 at 12:12 PM, Christopher Johnston
<chjo...@gmail.com> wrote:
> My inventory server is a puppetmaster, but its master of itself and is only
> being using for inventory services.  If I point new clients to it will work
> fine.
>
> So think of my setup like this:
>
> puppet1.company.com and puppet2.company.com are two dedicated servers in
> each datacenter that handle local client connectivity only.  By using
> certname=puppet I can copy the same CA to puppet2.company.com and support
> failing over if the primary server goes down.  This setup is mimic'ed in
> about 20 other sites.
>
> The inventory server is a remote puppet master sitting in a backoffice
> datacenter that is setup with mysql and puppet dashboard to receive reports
> and inventory services from all 40 of the masters.
>
> So with this current arrangement how would I go about making sure the
> inventory server has a cert that is signed by the 40 other CAs.

Certificate chain is an outstanding bug, so at the moment one CA sign
all puppet master + inventory server cert.

Nan

[Christopher Johnston]

That could get ugly, so I would have to create one CA, sign it then distribute it to all of my masters.  Then also delete my certs on the clients and re-issue new ones.

Is my thinking correct here?

-Chris

Nan

[Greg]

The way I've done it in the past is that you have one Puppet instance
dedicated to the initial Puppet run.. It handles the CA plus farms out
a puppet.conf which contains the local server info.

The main issue I found is that Puppet doesn't seem to change masters
without a restart even though it says that it has re-read the config
file, so I got around it by doing a small Puppet run that only signs
the cert and distributes the puppet.conf in the finish script of the
OS install, then once the host rebooted that it found its correct
Puppet server and then continues the upgrade from there.

It can mean the CA-owning Puppet master only ever gets used on the
initial install but maybe it can be used more with multiple
environments - say build and production?

Greg