Hi Soham, I would suggest you start with a single server that contains both the CA and compile master functionality.
That way you can bootstrap it in a very simple way, using the instructions for the new intermediate CA setup in Puppet 6. Once that is working, it is much easier to move to a split-out service because you will have a functioning CA + Server which can sign the certificates for the other compile masters. You should be able to serve catalogs from a single instance for several thousand agents, so don't scale out until you know you need it. https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html HTH --eric0 On Wednesday, November 28, 2018 at 8:24:00 AM UTC-8, Soham Chakraborty wrote: > > Hi, > > Update: > > I have made the changes in webserver.conf of the compile master as > described in > https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 > (step 3 in particular), but I still have the same problem :( > > On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty > wrote: >> >> Hi, >> >> I am trying to achieve the following in Ubuntu 18.04 (bionic): >> >> 1) I want to have several Puppet servers act as compile masters. They >> will be load balanced and point to a DNS record in AWS. >> >> 2) All the compile masters will share same Puppet CA server. The CA >> server be responsible for only signing certificates and nothing else. >> >> This should be reasonably easy to implement but I am not getting odd SSL >> errors at every turn. I am looking to know how I should go about creating a >> setup like this with open source Puppet. The steps that I am following now >> are something like this: >> >> 1) Provision the instance from a packer template. I am installing Puppet >> 5.5.6 from the packer template. >> 2) Login to the server and install puppetserver. >> 3) Disable internal CA service from services.d/ca.cfg file. >> 4) Edit puppet.conf to point master to the DNS name of the load balancer. >> Don't do any change of ca server for now. Don't run any puppet agent as >> well. >> 5) Provision another instance from the same packer template. >> 6) Install puppetserver. >> 7) Edit it's puppet.conf to point to the DNS name of the load balancer >> and also change ca server to this server itself. >> 8) Run puppet agent -t on the compile master created in step 1. >> 9) Sign the cert in CA server. >> >> Is this all that there is? Do I need to do any config change in the >> webserver.conf of the Puppet compile master? If so, what would be required >> changes? What files should be copied over from the CA server to the compile >> server? >> >> What files need to be copied over from CA server to the compile server >> and where they should be placed? >> >> Right now in my CA server, I am getting this error: >> >> # puppet agent -t >> Warning: Setting autosign is deprecated. >> (location: >> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in >> `issue_deprecation_warning') >> Warning: Setting ca is deprecated. >> (location: >> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in >> `issue_deprecation_warning') >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: SSL_connect returned=1 errno=0 state=error: certificate verify >> failed: [ok for /CN=puppetserver.org.com] >> Info: Retrieving pluginfacts >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate >> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 >> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: >> Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect >> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Info: Retrieving plugin >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate >> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 >> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com] >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could >> not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 >> errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Error: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN= >> puppetserver.org.com] >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> Error: Could not send report: SSL_connect returned=1 errno=0 state=error: >> certificate verify failed: [ok for /CN=puppetserver.org.com] >> root@puppet-ca-server:~# >> >> And in Puppet compile master, I am getting: >> >> # puppet agent -t >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: execution expired >> Info: Retrieving pluginfacts >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate >> additional resources using 'eval_generate': execution expired >> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: >> Could not retrieve file metadata for puppet:///pluginfacts: execution >> expired >> Info: Retrieving plugin >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate >> additional resources using 'eval_generate': execution expired >> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could >> not retrieve file metadata for puppet:///plugins: execution expired >> Error: Could not retrieve catalog from remote server: execution expired >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> root@puppetserver:~# >> >> The nodes are not yet in site.pp but I would expect the errors to be >> different. >> >> Thanks, >> >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/79f9241f-7214-4791-a219-ccb38f594f04%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
