Thanks Ohad I have updated the Wiki entry with a warning (where's the <blink> tag?) and references to the bugs on certificate chaining
I'm not 100% comfortable with a single CA, so would it be possible to do the following: ca_server = puppet-ca.example.com rsync the ssl dir every 5 minutes to puppet-ca2.example.com If puppet-ca dies, I would swing the CNAME over to puppet-ca2.example.com Thanks John On 1 September 2010 16:37, Ohad Levy <ohadl...@gmail.com> wrote: > There is an open bug with 0.25.x (and 2.6) which breaks certificate > chaining. > this works well for the 0.24.x series, and I hope that will work again > sometime in the near future with 2.6.x series. > > I would recommend you at the moment to use one machine as the CA, if you > can accept the fact that its a single point of failure for creating new > certificates. > > Ohad > > > On Wed, Sep 1, 2010 at 9:14 AM, Patrick <kc7...@gmail.com> wrote: > >> >> On Aug 31, 2010, at 10:47 PM, John Warburton wrote: >> >> Hi All >> >> I am trying to use the section on Centralised Puppet Infrastructure on the >> Scaling Puppet page - >> http://projects.puppetlabs.com/projects/1/wiki/Puppet_Scalability >> >> No matter what I do, I always end up with the client contacting a puppet >> server and rejecting the configuration with a dreaded "certificate verify >> failed": >> >> err: /File[/var/puppet/confdir/var/lib]: Failed to retrieve current state >> of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server >> certificate B: certificate verify failed Could not retrieve file metadata >> for puppet://engnsvr002.example.com/plugins: SSL_connect returned=1 >> errno=0 state=SSLv3 read server certificate B: certificate verify failed >> >> I have started from completely fresh servers, and repeated this behavior a >> number of times, with clean puppet configs - you can see a very detailed >> working below. >> >> I am stumped as to what to do next, but suspect a number of things: >> - the example given was for Mongrel - is Passenger different? >> - there are a number SSL cert chaining tickets in the issues list >> >> My goal is to have any puppet client be able to talk to any puppet server, >> so that if one.s designated puppet server died, we could repoint its CNAME >> to another puppet server in another datacentre and the client would continue >> working as if nothing happened. Does anyone have a working configuration >> that fits this scenario? >> >> >> I've done it 2 ways. >> 1) Just copy the ca folder to the other servers. (Warning, breaks >> certificate revocation because of duplicate serial numbers) >> 2) Use one server as the ca for everything, but have local servers for >> everything else. (Not as much reliability, but close. You can't sign when >> the ca goes down, but everything else works.) >> >> I have tried using that method, but I've had horrible luck and didn't >> manage to make it work. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- John Warburton Ph: 0417 299 600 Email: jwarbur...@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.