You will need to enable DNS alt names in your CA config, and issue a few names per server - likely including a common one shared by all nodes such as "puppetdb.domain.example". https://puppet.com/docs/puppetserver/6.12.2/scaling_puppet_server.html => dns_alt_names Then you'll need to go through the steps to (re)configure your PuppetDB SSL setup. This is usually replacing the 'ssl-key', 'ssl-cert' and 'ssl-ca-cert' defined in your jetty.ini config. On my local setup this is located under /etc/puppetlabs/puppetdb/ssl/, use the same permissions as the old setup, then restart the 'puppetdb' services. On Wednesday, January 20, 2021 at 3:32:54 AM UTC+11 Nerbolff wrote:
> Hello everyone. for security reasons. we decided to get 2 puppetdb servers > up and running. there will be a setup with *master* and *slave*. > > We thought of using our load balancer to perform this operation. So we > need a *cname* with a valid self-generated certificate. ie: > puppetdb.internet.net > > > Here's how I think I'm going to achieve it: > > - I generated my puppetdb cert via the puppetca: > > $ sudo puppetserver ca generate --certname puppetdb.internet.net > Successfully saved private key for puppetdb.internet.net to > /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem > Successfully saved public key for puppetdb.internet.net to > /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem > Successfully submitted certificate request for puppetdb.internet.net > Error: > Signed certificate puppetdb.internet.net could not be found on the CA > Successfully signed certificate request for puppetdb.internet.net > Successfully saved certificate for puppetdb.internet.net to > /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem > > > Then I copied over the freshly selfsigned cert from puppetca to puppetDB. > I changed the */etc/puppetlabs/puppetdb/conf.d/jetty.ini* like this : > > ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem > ssl-cert = /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem > ssl-ca-cert = /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem > > restarting my puppetdb, I get an error about certification > implementation. error is not clear. java errors > > At the end, my goal is to start puppetdb with the certificate > *puppetdb.internet.net > <http://puppetdb.internet.net> *loaded. then the puppetmaster didn't > complain about the puppetca certificate. > > Does someone have any idea? > Thanks. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/942f949f-afb8-4fda-8e2b-3ab9cb731095n%40googlegroups.com.
