Right, thats what I am trying to do but what is happening that I'm seeing is the masters are creating their own CA. The error I am seeing is this.
info: Creating a new SSL key for ca debug: Using cached certificate for ca Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 75:67:F9:A4:C0:BC:8E:4F:15:63:C4:12:48:4C:75:32 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. When I copy the contents of the CA dir from the CA server over it works fine but this creates a headache to copy the contents over. The agent on that specific master runs fine though and has no complaints. On Monday, August 13, 2012 11:05:22 AM UTC-4, Jeff McCune wrote: > > On Mon, Aug 13, 2012 at 6:46 AM, Matt <mjb...@gmail.com <javascript:>>wrote: > >> I did a quick look for it but I could not find it. When it comes to >> puppet masters, is it required to copy the puppet/ssl/ca directory to each >> puppet master or is there a configuration to make the puppet master not try >> to generate its own CA if there is a ca_server option specified? >> > > When running multiple puppet masters I recommend maintaining only one > Puppet CA if possible. You can disable the CA on the masters and configure > the agents to talk to the CA using the ca_port and ca_server options. > > This is my recommendation, but there are lots of alternative architectures > that may be a better fit for your scenario. > > Hope this helps, > -Jeff > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6UpARILaU_IJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
