Hi, Update:
I have made the changes in webserver.conf of the compile master as described in https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 (step 3 in particular), but I still have the same problem :( On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty wrote: > > Hi, > > I am trying to achieve the following in Ubuntu 18.04 (bionic): > > 1) I want to have several Puppet servers act as compile masters. They will > be load balanced and point to a DNS record in AWS. > > 2) All the compile masters will share same Puppet CA server. The CA server > be responsible for only signing certificates and nothing else. > > This should be reasonably easy to implement but I am not getting odd SSL > errors at every turn. I am looking to know how I should go about creating a > setup like this with open source Puppet. The steps that I am following now > are something like this: > > 1) Provision the instance from a packer template. I am installing Puppet > 5.5.6 from the packer template. > 2) Login to the server and install puppetserver. > 3) Disable internal CA service from services.d/ca.cfg file. > 4) Edit puppet.conf to point master to the DNS name of the load balancer. > Don't do any change of ca server for now. Don't run any puppet agent as > well. > 5) Provision another instance from the same packer template. > 6) Install puppetserver. > 7) Edit it's puppet.conf to point to the DNS name of the load balancer and > also change ca server to this server itself. > 8) Run puppet agent -t on the compile master created in step 1. > 9) Sign the cert in CA server. > > Is this all that there is? Do I need to do any config change in the > webserver.conf of the Puppet compile master? If so, what would be required > changes? What files should be copied over from the CA server to the compile > server? > > What files need to be copied over from CA server to the compile server and > where they should be placed? > > Right now in my CA server, I am getting this error: > > # puppet agent -t > Warning: Setting autosign is deprecated. > (location: > /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Warning: Setting ca is deprecated. > (location: > /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: SSL_connect returned=1 errno=0 state=error: certificate verify > failed: [ok for /CN=puppetserver.org.com] > Info: Retrieving pluginfacts > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: > Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect > returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Info: Retrieving plugin > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could > not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 > errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Error: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= > puppetserver.org.com] > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > Error: Could not send report: SSL_connect returned=1 errno=0 state=error: > certificate verify failed: [ok for /CN=puppetserver.org.com] > root@puppet-ca-server:~# > > And in Puppet compile master, I am getting: > > # puppet agent -t > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: execution expired > Info: Retrieving pluginfacts > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate > additional resources using 'eval_generate': execution expired > Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: > Could not retrieve file metadata for puppet:///pluginfacts: execution > expired > Info: Retrieving plugin > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate > additional resources using 'eval_generate': execution expired > Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could > not retrieve file metadata for puppet:///plugins: execution expired > Error: Could not retrieve catalog from remote server: execution expired > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > root@puppetserver:~# > > The nodes are not yet in site.pp but I would expect the errors to be > different. > > Thanks, > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b4aba2db-ee01-4d7e-af83-3a396272b28c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
