Thanks for all the help but I have failed in this and decided to change tack a little. With no better results :)
Here is what the current attempt is. 2 Apache Load-Balancers which will be CA's and therefore entry points for clients. These will be in active/standby solution on RHEL6 with heartbeat. The virtual IP will be called puppet.domain.fqdn the physical node names will be different of course. The PuppetMaster processes will be a load balanced pool underneath to allow the horizontal scaling and with active/standby LB's and CA's should not have a SPOF Client will then connect to the VIP which will do the certificate checks on the LB server and then pass to the puppetmaster pool. Load-Balancer/CA structures kept in place with rsync or some-such. Still failing with the CA setup against it's realname, setup with generate on the puppet.domain.fqdn name, and setup with certname = puppet.domain.fqdn and then calling puppet master removing the ssldir between each. They all failed to allow clients to get a valid cert:- err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Now I just assume I am being brain-dead and doing silly things with fatigue to get this working with a VIP. Or is this setup without a SPOF really just not possible ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
