On Tue, 2011-12-20 at 08:25 -0800, ollies...@googlemail.com wrote: > > On Dec 20, 4:16 pm, Brice Figureau <brice-pup...@daysofwonder.com> > wrote: > > On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: > > > > That's easy: dedicate two host to be CAs only. One is the hot standby of > > > > the first one. You can either manually bring it up when the first one > > > > fails, or use something like drbd+pacemaker to do it automatically. > > > > Then have all your other masters run in "no ca" mode. Each can have a > > > > different server CN, or they can share the same server certificate. > > > > This is explained in length in the Pro puppet [1] book if you need. > > > > > > > Maybe it's just not possible right now and I am flogging a dead horse > > > > > and should accept a SPOF for a CA but can easily scale out the > > > > > puppetmasters fine. > > > > > > The simplest architecture for load balanced puppet is the single CA one, > > > > of course that means you can live with the SPOF. BTW, the SPOF is only > > > > at certificate signing. In the event your CA becomes unresponsive, it > > > > won't prevent your actual nodes to get a catalog. > > > > > > I highly recommend you to get a copy of the "Pro Puppet" book. It > > > > contains an extensive chapter on load balancing puppet master (both with > > > > the SPOF and without it). > > > > > Thanks. > > > > > Have got a copy of the book and that is what I was working from. As > > > per the > > > example in the book it's fine running the CA's in the localhost sort > > > of mode > > > but when switching from locahost to other servers off the load- > > > balancer server > > > I get the cert errors:- > > > > > err: /File[/var/lib/puppet/lib]: Failed to generate additional > > > resources using 'eval_generate: certificate verify failed. This is > > > often because the time is out of sync on the server or client > > > > > Do I have to clean out the puppetmaster setup on the load-balancer > > > host ? > > > > > On the CA servers I removed the ssldir and ran "puppet master" to > > > generate a > > > new ssl data. > > > > > Then with a new client I get the new cert generated but then the above > > > error. > > > > That's expected because when the client connects to one of your > > loadbalanced server it receives a certificate that was signed/generated > > under the previous CA. You actually need your loadbalanced masters to > > get a certificate from your current CA. This certificate will then be > > used when talking to your nodes. > > But the Apache LB settings are sending the certificate stuff to the > seperate > CA server (I can see this in the logs) and the CA has the signed cert > in the > puppet cert --list --all but it still complains on the client.
The client is supposed to validate the certificate server. It does this by checking the certificate the server sent against its locally cached CA certificate. In your case, depending on how your LB is working, it might be possible the SSL endpoint is your LB. In which case this is the one that will send the server certificate. Make sure this one sends a certificate that was generated by the loadbalanced CA. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
