Setup a non-CA Puppet Master

Question

I would like to set up an additional puppet master to act as a non-CA server.

I’ve have installed and am successfully using Passenger. The servers in question are all running CentOS 6.6 and are all on the same network. Selinux has been set to permissive. The test environment consists of three servers as follows:

1.  HOSTNAME=basxtststinfl01, DNS=puppet.xchanginghosting.com,basxtststinfl01.xchanginghosting.com (CA Master)
2.  HOSTNAME=basxtststinfl02, DNS=basxtststinfl02.xchanginghosting.com (non-CA Master)
3.  HOSTANME=basxtststinfl03, DNS=basxtststinfl03.xchanginghosting.com (Agent)

I have configured my second puppet master (non-CA) as follows:

[main]
   dns_alt_names = basxtststinfl02.xchanginghosting.com,basxtststinfl02
   ca_server = basxtststinfl01.xchanginghosting.com

[master]
   ca = false

I removed the original certificate on the non-CA puppet master and regenerated another after the dns_alt_names were added but prior to ca and ca_servers.

+ "basxtststinfl01.xchanginghosting.com" (SHA256) E6:5D:56:39:16:22:A0:FD:8A:C1:AF:83:EB:80:94:2D:74:CE:1F:75:D5:3A:F7:92:EF:36:1A:85:4C:EA:58:F2 (alt names: "DNS:basxtststinfl01", "DNS:basxtststinfl01.xchanginghosting.com", "DNS:puppet", "DNS:puppet.xchanginghosting.com")

Is this the correct approach so far?

My virtual host file looks like this:

LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.59/buildout/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.59
PassengerDefaultRuby /usr/bin/ruby
PassengerMaxRequests 1000
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120

Listen 8140

<VirtualHost *:8140>
    SSLProxyEngine On
    ProxyPassMatch ^/([^/]+/certificate.*)$ https://basxtststinfl01.xchanginghosting.com:8140/$1

    SSLEngine on
    SSLProtocol             ALL -SSLv2 -SSLv3
    SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    SSLHonorCipherOrder     on

    SSLCertificateFile      /var/lib/puppet/ssl/certs/basxtststinfl02.xchanginghosting.com.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/basxtststinfl02.xchanginghosting.com.pem
    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars +ExportCertData

    RequestHeader unset X-Forwarded-For

    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    RackBaseURI /
    <Directory /usr/share/puppet/rack/puppetmasterd/>
            Options None
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>

NOTE: I removed SSLCertificateChainFile, SSLCACertificateFile and SSLCARevocationFile assuming I don’t them for non-CA purposes.

The agent has been used many times for other test circumstances so I’ve removed any existing certificates prior to attempting the initial agent run. I then attempt to request for a certificate via the non-CA master (basxtststinfl02).

# puppet agent --verbose --onetime --no-daemonize --server basxtststinfl02
Info: Creating a new SSL key for basxtststinfl03.xchanginghosting.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for basxtststinfl03.xchanginghosting.com
Info: Certificate Request fingerprint (SHA256):  85:13:E4:3E:DE:54:24:44:22:07:7E:E9:51:96:CE:88:89:96:82:35:51:97:91:8C:C0:B9:24:42:50:FD:FE:F3
Info: Caching certificate for ca

Looks good so far!

I can then successfully sign the certificate on the CA master (basxtststinfl01). However, after I've signed the certificate and repeat the puppet agent command on the agent I see the following error:

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=basxtststinfl02.xchanginghosting.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://basxtststinfl02/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=basxtststinfl02.xchanginghosting.com]

I've absolutely no clue as to what this error is telling me. Has anyone else been successful with configuring an second master to act as a non-CA? Or does the above error make any sense to anyone.

Answer 1

I think you are presenting the wrong CA certificate. It should be set to the CA puppet master's ca.pem.

Run the second master's agent against the primary one, after that add this to your puppet master vhost config:

SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem
SSLCARevocationCheck    chain

In case that I'm mistaken, I've checked my working secondary master's config, here's what's different to yours:

SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem
SSLCARevocationCheck    chain

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

ProxyPassMatch ^/([^/]+/certificate.*)$ https://ca.puppet.master:8140/$1

<Location ~ "/[^/]+/certificate">
    PassengerHighPerformance Off
</Location>

That gives you something else to try at least.