Re: [Puppet Users] puppetmaster + hearbeat + mon
Hi, good thinking, but the CA certificate is not used when accepting SSL connections (or it shouldn't be, as far as I'm concerned). You can determine the certificate that is presented using openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is your masterport). You may need to share the server cert among your masters, not only the CA cert. HTH, Felix On 01/27/2014 06:59 PM, Vassiliy Vins wrote: #openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster gives CN=Puppet CA:puppetserver.ops.ss -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F4AA08.8010503%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppetmaster + hearbeat + mon
Thnx, Felix I'll try today On 7 February 2014 02:40, Felix Frank felix.fr...@alumni.tu-berlin.dewrote: Hi, good thinking, but the CA certificate is not used when accepting SSL connections (or it shouldn't be, as far as I'm concerned). You can determine the certificate that is presented using openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is your masterport). You may need to share the server cert among your masters, not only the CA cert. HTH, Felix On 01/27/2014 06:59 PM, Vassiliy Vins wrote: #openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster gives CN=Puppet CA:puppetserver.ops.ss -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/WpkKz80Jxn4/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F4AA08.8010503%40alumni.tu-berlin.de . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YxOfSX6q1Vm4uUQCzd3CckoPt_QrDzkv%3D0YNFDbtzeuGQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppetmaster + hearbeat + mon
Hi! 2 puppetmasters and 1 client installed on VMware. I'm using puppetversion 3.4.2 on all 3 hosts 2 pupetmasters, one as primary (hostname =puppetserver.ops.ss) , second (hostname=puppetslave) as secondary, client (hostname=client.ops.ss). High availability and all other steps - exactly as described on this link http://projects.puppetlabs.com/projects/1/wiki/High_Availability_Patterns 2 puppetmasters + 1 client in 192.168.1.x network 2 puppetmasters connected via 10.0.0.x network for heartbeat purposes. ( primary 10.0.0.1, secondary 10.0.0.2, redundant IP 192.168.1.200) heartbeat works I moved ca_crl.pem to secondary puppetmaster according to link above. primary puppetmaster */etc/hosts* 127.0.0.1 puppetserver 192.168.1.20 client 192.168.1.30 puppetslave *puppet.conf* all defaults , only added in [main] ca =true secondary puppetmaster */etc/hosts* 127.0.0.1 puppetslave 192.168.1.20client 192.168.1.10puppetserver.ops.ss *puppet.conf* [main] server = puppetserver.ops.ss listen = true ca = false ca_server = puppetserver.ops.ss client */etc/hosts* 127.0.0.1client 192.168.1.200 puppetserver.ops.ss *puppet.conf* [main] server = puppetserver.ops.ss listen = true Client machine gets certificate and puppet works with primary puppetmaster - no problem at all. Now I stop primary puppetmaster, wait for secondary takes 192.168.1.200 redundant ipand trying on client machine: #puppet agent --server puppetserver.ops.ss --waitforcert 45 --test --verbose trying to get certificate from secondary puppetmaster for testing purposes. And I got respond : Could not retrieve catalog from remote server: Server hostname 'puppetserver.ops.ss' did not match server certificate; expected puppetslave Could you help me with the problem? What's wrong? #openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster gives CN=Puppet CA:puppetserver.ops.ss in my understanding secondary puppetmaster shoud send respond as primary one (puppetserver.ops.ss), when first one is dead and actually it does, why client does not accept it? Thank you for your help -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d59db1d-14b4-44f6-987d-960d45938d36%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.