> That's easy: dedicate two host to be CAs only. One is the hot standby of > the first one. You can either manually bring it up when the first one > fails, or use something like drbd+pacemaker to do it automatically. > Then have all your other masters run in "no ca" mode. Each can have a > different server CN, or they can share the same server certificate. > This is explained in length in the Pro puppet [1] book if you need. > > > Maybe it's just not possible right now and I am flogging a dead horse > > and should accept a SPOF for a CA but can easily scale out the > > puppetmasters fine. > > The simplest architecture for load balanced puppet is the single CA one, > of course that means you can live with the SPOF. BTW, the SPOF is only > at certificate signing. In the event your CA becomes unresponsive, it > won't prevent your actual nodes to get a catalog. > > I highly recommend you to get a copy of the "Pro Puppet" book. It > contains an extensive chapter on load balancing puppet master (both with > the SPOF and without it).
Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran "puppet master" to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
