I'm trying to scale puppetserver, in order to have redundancy, using round robin DNS. The secondary puppetserver (version 7.4.0) is configured to use the CA authority from primary puppetserver:
/etc/puppetlabs/puppet/puppet.conf:
[main]
ca_name = Puppet CA: puppet-ca-master.company.com
ca_server = puppet-ca-master.company.com
[agent]
server = puppet-ca-master.company.com
runinterval=1800
On the secondary server I've disabled CA service, as there could be only single certificate authority in /etc/puppetlabs/puppetserver/services.d/ca.cfg:
# To enable the CA service, leave the following line uncommented
# puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service
I've removed certificates from the secondary, in order to fetch certificate signed certificate from the CA master:
rm -rf /etc/puppetlabs/puppet/ssl && mkdir -p /etc/puppetlabs/puppet/ssl/certs
chmod 0700 /etc/puppetlabs/puppet/ssl
chown -R puppet /etc/puppetlabs/puppet/ssl
However the puppetserver service refuses to start because of missing certificate:
2021-09-30T09:06:18.220+02:00 ERROR [async-dispatch-2] [p.t.internal] Error during service start!!!
java.lang.IllegalArgumentException: Unable to open 'ssl-cert' file: /etc/puppetlabs/puppet/ssl/certs/secondary-puppetserver.company.com.pem
When I try to run puppet agent -t on the secondary puppetserver it fails to sign the certificate:
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (secondary-puppetserver.company.com)
Moreover the private key gets generated, but not a public one:
ll /etc/puppetlabs/puppet/ssl/public_keys/
total 0
