Makes sense.
So that's just a certname setting inside the [puppetmasterd] config
section of /etc/puppet.conf on the master, correct? But that needs to be
set as puppet before the puppetmaster is started and any certificates are
signed.
Keeping on this same subject, perhaps you can answer the fileserver.conf
question as well - if a node does not have a signed cert, can it still
access the fileserver, regardless of the allow/deny rules inside
fileserver.conf?
-Matt
On Wed, 19 May 2010, Christopher Johnston wrote:
The masters would get certname = puppet, so the cert filename would end up
being puppet.pem. You can then create a DNS
entry for the VIP called puppet.<domain>.<suffix>. You just have to copy that
cert to the secondary nodes as well as
keeping the client certs in sync so when a failover happens you have the client
certs on the failover node.
-Chris
On Wed, May 19, 2010 at 11:45 AM, Matt Juszczak <m...@atopia.net> wrote:
* keepalived to carry the vip
* certname = puppet
* copy the cert from the primary to the secondary
* use a tool to keep /var/lib/puppet/ssl sync'd between the nodes
(cron? rsnapshot?)
Might have to get a little creative.. I think you can also do a
common CA, but that wasn't a
requirement for my
environment.
So I assume you're only talking about certname = puppet on the master, correct?
The clients would still generate
hostname based certs?
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.