Re: [Puppet Users] Six Puppet Questions

Wed, 19 May 2010 09:30:31 -0700 

Makes sense.
So that's just a certname setting inside the [puppetmasterd] config section of /etc/puppet.conf on the master, correct? But that needs to be set as puppet before the puppetmaster is started and any certificates are signed. 


Keeping on this same subject, perhaps you can answer the fileserver.conf 
question as well - if a node does not have a signed cert, can it still 
access the fileserver, regardless of the allow/deny rules inside 
fileserver.conf?


-Matt

On Wed, 19 May 2010, Christopher Johnston wrote:


The masters would get certname = puppet, so the cert filename would end up 
being puppet.pem.  You can then create a DNS
entry for the VIP called puppet.<domain>.<suffix>.  You just have to copy that 
cert to the secondary nodes as well as
keeping the client certs in sync so when a failover happens you have the client 
certs on the failover node.

-Chris

On Wed, May 19, 2010 at 11:45 AM, Matt Juszczak <m...@atopia.net> wrote:
            * keepalived to carry the vip
            * certname = puppet
            * copy the cert from the primary to the secondary
            * use a tool to keep /var/lib/puppet/ssl sync'd between the nodes 
(cron? rsnapshot?)

            Might have to get a little creative.. I think you can also do a 
common CA, but that wasn't a
            requirement for my
            environment.


So I assume you're only talking about certname = puppet on the master, correct? 
 The clients would still generate
hostname based certs?

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.




--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.
























					Reply via email to