Skip to content

Instantly share code, notes, and snippets.

@jeffmccune

jeffmccune/puppet_multiple_ca.md

Created July 5, 2012 19:03
Show Gist options
  • Save jeffmccune/3055725 to your computer and use it in GitHub Desktop.
Save jeffmccune/3055725 to your computer and use it in GitHub Desktop.
Download ZIP
Puppet Multiple CA's
Raw
puppet_multiple_ca.md

Standard CA Bundle

This CA bundle is located at puppet master --confdir=$PUPPET_CONFDIR --configprint localcacert and contains CA certs in the following order:

  1. Root CA
  2. Signing CA
  3. Puppet Master CA 1
  4. Puppet Master CA 2

The following error may be resolved by changing the CA certificate order in the bundle to be:

  1. Puppet Master CA 2
  2. Root CA
  3. Signing CA
  4. Puppet Master CA 1

Where Puppet Master 2 is the master being brought online.

$ puppet master --confdir=$PUPPET_CONFDIR --verbose --no-daemonize --trace
/workspace/yak/src/puppet/lib/puppet/ssl/host.rb:211:in `validate_certificate_with_key'
/workspace/yak/src/puppet/lib/puppet/ssl/host.rb:202:in `certificate'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:245:in `setup'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:169:in `initialize'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:41:in `new'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:41:in `singleton_instance'
/Users/jeff/.rvm/rubies/ruby-1.8.7-p358/lib/ruby/1.8/monitor.rb:242:in `synchronize'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:40:in `singleton_instance'
/workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:64:in `instance'
/workspace/yak/src/puppet/lib/puppet/application/master.rb:240:in `setup'
/workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run'
/workspace/yak/src/puppet/lib/puppet/application.rb:416:in `hook'
/workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run'
/workspace/yak/src/puppet/lib/puppet/application.rb:407:in `exit_on_fail'
/workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run'
/workspace/yak/src/puppet/lib/puppet/util/command_line.rb:69:in `execute'
/workspace/yak/src/puppet/bin/puppet:4
Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: A4:1D:6F:CC:20:9F:DB:A7:C1:23:F6:6D:A8:70:45:5A
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean maynard2
On the agent:
  rm -f /workspace/yak/etc/puppet.27_chain2/var.master/ssl/certs/maynard2.pem
  puppet agent -t

Agent Configuration

The agent need only have a pre-populated puppet agent --confdir=$PUPPET_CONFDIR --configprint localcacert file containing the "normal" bundle ordering of:

  1. Root CA
  2. Signing CA
  3. Puppet Master CA 1
  4. Puppet Master CA 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment