I'm feeling this pain right now as well. Can your PR add Apache proxy config to reach the CA host (https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic) or is that best served in another PR?

I'm happy to merge this just waiting on the response to @joelesalas comment.

I'm not using apache so it would be great if somebody else can do another PR

Hi Team,

Kindly let me know when this feature will be available and will it also change the passenger config accordingly?

@monisha-bhattacharya I guess @stephenrjohnson will merge it in the next hours/days. This PR just sets "ca = false" in the [master] part of a puppet.conf. It doesn't modify the apache conf. Maybe @joelesalas will create an additional PR for this. I'm working on an implementation with nginx

"ca = false" and "generate_ssl_certs = false" not make sense without changing passenger config. Because Passenger will still require /ca/ca_crt.pem file. According PuppetLabs Passenger configuration docs in case if "ca = false" it should be:
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

As I said, I still need Passenger/Apache in your setup, but thats not my use case. I'm running on nginx/unicorn (see my other PR #74 ), free free to implement implement your apache config changes

@stephenrjohnson could you please take a look at merge it?

added the needed nginx update to actually use this setting here:
bastelfreak@06d74a0

now it is possible to run a puppet CA on a loadbalancer, to run puppet master and CA on the same node or to run a puppet master without CA behind a loadbalancer

@stephenrjohnson could you have a look again?

Is everyone ok with just add that one property then?