Multiple PuppetServers with Single CA

I am trying to setup 2 PuppetServers. 1 Puppet Server has the PuppetCA and the other should proxy CA requests. I am using theforeman-puppet module for orchestrating.

  • puppetserver1 has both puppetserver and puppetca installed
  • puppetserver2 has only puppetserver installed

puppetserver2’s puppet configuration

server_implementation => puppetserver
server_ca             => false
ca_server             => puppetserver1
server_ca_proxy       => puppetserver1

Expected outcome:
puppet agents connected to puppetserver2 will get CA from puppetserver 1

Foreman and Proxy versions:


this is something @Chris_Duryee and I were trying to do the other day too, and we ended up setting ca_server on each client to puppetserver1, as the ca_proxy feature of theforeman-puppet only works for Puppet masters running inside Passenger, not as a standalone Puppetserver.

Chris can tell you more details.


Ya, if you are using the older Passenger puppetserver, you can add proxypass rules to your httpd to send the CA request to a different server (in your case server 2 would proxypass to server 1) and do SSL termination in httpd[1]. However, you may need to set “allow-header-cert-info” on your signing server which is a security risk, since you are sending requests from server 2 to server 1 (not client to server 1), and server 1 has to honor those requests. This may or may not be OK in your environment.

A less complex option is to use “ca_server” and “ca_port” on your clients. This lets the clients reach out to server 1 for their certs, and then either server 1 or server 2 for checkins. This is the recommended method in the puppetlabs scaling doc [2]. You can also set an SRV record which basically does the same thing, but puts the configuration in DNS instead of on the client filesystem.


The nodes connected to Puppet Server 2 cannot connect to Puppet Server 1 due to firewall policies.

I don’t want to go back to using passenger as I am happy with jetty/puppetserver. Assuming this, what are my options?

  • Can Puppet Server 2 have its own CA? If so, how do I manage that with foreman?
  • Can I setup an apache server on Puppet Server 2 while still using jetty/puppetserver and setup proxying CA requests to puppet server 1?