No I am not using environments with this setup, curious on how that would make a difference if the module base is identical for all of my production hosts.
By using a subject altname on the cert would that allow for a distributed certificate for all my hosts in that specific environment. Since each datacenter has its own two puppetmasters they also have their own dns domain suffix so that could work. On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <[email protected]> wrote: > On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston > <[email protected]> wrote: > > Sorry for the late response. That feature looks attractive, but not > > feasible at this state. I am still running .24 version of puppet which > is > > working great (although performance could be slightly better!) and I > wasn't > > looking to do an upgrade to .25 for at least a month or two as bugs iron > > out. > > > > Essentially my setup consists of a central git server and a puppetmaster > in > > our main site. In my remote locations I have two puppetmasters running > in a > > cluster using a VIP for its IP address. Since the physical hostname > could > > potentially change during a failover situation along with the keys not > being > > there (I could put the ssl certs on shared storage or sync them from > hostA > > to hostB via rsnapshot via cron) I will end up running into issues with > the > > certs. > > Are you using environments with this setup? You're going to have > undesirable side effects if you are with 0.24.x and a VIP. > > > > The question I have is what is the best way to manage SSL certs in a more > > distributed fashion by using a shared certificate. I don't want to rely > on > > a single instance of puppetmasterd to provide certs as that is a SPOF to > me > > and since my remote sites are distant on the network my preference is to > use > > the local hostA and hostB servers as puppetmasters and ssl servers with > > direct git clones (git pull when a major commit is tested in > > development/lab). I also use autosign so certs get created on demand. > > Is a subject altname on the SSL cert with wildcards for your domain > acceptable? > > > > > -Chris > > > > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <[email protected]> wrote: > >> > >> On Fri, 12 Mar 2010, Christopher Johnston wrote: > >> > Reason I am asking is I am having a bunch of SSL issues in production > >> > right > >> > now, I need to disable SSL until I get things fixed. > >> > >> As a workaround, perhaps you could use the > >> standalone compile/apply feature (new in 0.25); see > >> > >> < > http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply > >. > >> > >> --apb (Alan Barrett) > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<puppet-users%[email protected]> > . > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<puppet-users%[email protected]> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > nigel > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
