Puppet

I’ve been grappling with the problem of getting multiple CA certificates set up, one per puppetmaster, as described in MultipleCertificateAuthorities on the wiki. The overall goal is to be able to have N puppetmasters who all issue certificates and trust each other’s certs so no additional bootstrapping would be needed to get clients up and running. This is way tougher than I expected, and I think at least part of it is some confusing behaviour on puppet’s part, to wit:

The docs for the ‘localcacert’ variable say: {{{

# Where each client stores the CA certificate.
# The default value is '$certdir/ca.pem'.
localcacert = /etc/puppet/ssl/certs/ca.pem

}}} The docs suggest this ought to be the ca’s certificate or bundle. But what seems to be happening is that on the puppetmaster, this cert is used as the CA Cert for signing requests, overriding the value of ‘cacert’, and causing ‘key and certificate don’t match’ errors thrown from Puppet::SSL::Host.certificate.

I notice that Markus recently changed this part of the code for #2890 but at a glance it looks like this would continue.

To reproduce: – specify different certificates for cacert and localcacert – request a certificate – be surprised at which one issues your client’s cert

More generally it would be great if somebody in the know took a look at the wiki docs for this and beat them into shape to make a better supported / less voodoo way to set up multiple masters. PuppetScalability and MultipleCertificateAuthorities have “hey it worked for me…sorta” type of docs.

What I’ve done to get things working is followed Paul Lathrop’s post: http://groups.google.com/group/puppet-users/msg/89b75ebe91c5985b which definitely simplifies things, but isn’t written up anywhere. I’ll be happy to do that if it turns out to be the best way but it’d be good to get a ruling on whether I’m doing something wrong with the chained CA setup first.

Thanks