Hi, We have several puppetmasters running with ca= false and passenger. They are currently 0.25.3 but were at some point 0.24.8.
Basically, once you have setup your ca, in a node intended to be puppetmaster, run the client FIRST with ca_server pointing to your ca. The client generates the certificates and get the ca ceertificate. Then you can run the puppetmaster with ca = false. Our non-ca puppetmasters' puppet.conf looks like this: # file managed by puppet [main] logdir = /var/log/puppet vardir = /var/lib/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter pluginsync = true manifest = /etc/puppet/manifests/site.pp modulepath = /etc/puppet/modules templatedir = /etc/puppet/templates [puppetmasterd] # CA ca = false ca_server = puppeteer.domain.com syslogfacility = info # Enable Foreman reports reports=log, foreman # for Passenger ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY # Use Foreman node_terminus=exec external_nodes=/etc/puppet/scripts/node.rb [puppetd] server = puppeteer.domain.com report = true Hope this helps. Cheers, Atha On Feb 2, 2010, at 17:14 , nicholas wrote: > So I have 0.25.3 > > I found this in the code > > puppet/ssl/certificate_authority.rb > > class Puppet::SSL::CertificateAuthority > .... > def self.ca? > return false unless Puppet[:ca] > return false unless Puppet[:name] == "puppetmasterd" > return true > end > .... > end > > > Basically I read this as, if this class is used inside of > puppetmasterd, then turn on the certificate authority. > > Always. > > Anyone know if that is intended? > > > > > > On Feb 2, 9:15 am, Scott Smith <sc...@ohlol.net> wrote: >> On 2/2/10 9:06 AM, Nigel Kersten wrote: >> >>> I thought ca = false was working until I actually verified that it >>> wasn't operating as a CA. >> >>> This is with puppet 0.24.8 btw. >> >> Ahhh, I'm using 0.25.x >> >> -scott > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
