Multiple PuppetServers with Single CA

Conzar · April 17, 2018, 4:23am

Problem:
I am trying to setup 2 PuppetServers. 1 Puppet Server has the PuppetCA and the other should proxy CA requests. I am using theforeman-puppet module for orchestrating.

puppetserver1 has both puppetserver and puppetca installed
puppetserver2 has only puppetserver installed

puppetserver2’s puppet configuration

server_implementation => puppetserver
server_ca             => false
ca_server             => puppetserver1
server_ca_proxy       => puppetserver1

Expected outcome:
puppet agents connected to puppetserver2 will get CA from puppetserver 1

Foreman and Proxy versions:
1.16.0

evgeni · April 18, 2018, 5:01am

Hi,

this is something @Chris_Duryee and I were trying to do the other day too, and we ended up setting ca_server on each client to puppetserver1, as the ca_proxy feature of theforeman-puppet only works for Puppet masters running inside Passenger, not as a standalone Puppetserver.

Chris can tell you more details.

Evgeni

Chris_Duryee · April 18, 2018, 12:26pm

Ya, if you are using the older Passenger puppetserver, you can add proxypass rules to your httpd to send the CA request to a different server (in your case server 2 would proxypass to server 1) and do SSL termination in httpd[1]. However, you may need to set “allow-header-cert-info” on your signing server which is a security risk, since you are sending requests from server 2 to server 1 (not client to server 1), and server 1 has to honor those requests. This may or may not be OK in your environment.

A less complex option is to use “ca_server” and “ca_port” on your clients. This lets the clients reach out to server 1 for their certs, and then either server 1 or server 2 for checkins. This is the recommended method in the puppetlabs scaling doc [2]. You can also set an SRV record which basically does the same thing, but puts the configuration in DNS instead of on the client filesystem.

[1] https://puppet.com/docs/puppetserver/5.1/external_ssl_termination.html
[2] https://puppet.com/docs/puppetserver/5.2/scaling_puppet_server.html#centralizing-the-certificate-authority

Conzar · April 18, 2018, 8:09pm

The nodes connected to Puppet Server 2 cannot connect to Puppet Server 1 due to firewall policies.

I don’t want to go back to using passenger as I am happy with jetty/puppetserver. Assuming this, what are my options?

Can Puppet Server 2 have its own CA? If so, how do I manage that with foreman?
Can I setup an apache server on Puppet Server 2 while still using jetty/puppetserver and setup proxying CA requests to puppet server 1?

Thanks