I'm setting up Puppetdb with SSL and having issues with certificates.
I'm using Nginx as an SSL proxy for Puppet, so my CA is managed by a mongrel server on this Nginx proxy machine.
If I generate a certificate for my Puppetdb URI using the CA on the Nginx machine, I'm able to setup the Puppetdb using the puppetlabs-puppetdb module (since the Puppet agent uses the proxy's CA), but then the Puppetmaster cannot connect to it, because it has its own CA certificate which is generates itself.
If I generate a certificate for the Puppetdb URI using one of the Puppetmasters, I cannot deploy the Puppetdb using the puppetlabs-puppetdb module since the Puppet agent doesn't use the same CA certificate.
What could I do to reconcile all this? Can I full turn off SSL on my puppetmasters (since SSL is managed by the Nginx proxy) and have them use the proxy's CA to connect to the Puppetdb?
I was using a wrong setup for my puppetmasters, namely, letting them create their own CA in a separate directory. This link cleared it up. I now:
/var/lib/puppet/ssldirectory). This ensures that it uses the same CA for both modes;ca=falseon the puppetmaster (sectionmaster) so the puppetmaster won't complain about using another CA than his own;certname=for puppetmasters and let them use the machine's name as done in agent mode.