Re: [Puppet Users] Puppet Scalability - Centralised Puppet SSL Cert Issues
On Aug 31, 2010, at 10:47 PM, John Warburton wrote: Hi All I am trying to use the section on Centralised Puppet Infrastructure on the Scaling Puppet page - http://projects.puppetlabs.com/projects/1/wiki/Puppet_Scalability No matter what I do, I always end up with the client contacting a puppet server and rejecting the configuration with a dreaded certificate verify failed: err: /File[/var/puppet/confdir/var/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://engnsvr002.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I have started from completely fresh servers, and repeated this behavior a number of times, with clean puppet configs - you can see a very detailed working below. I am stumped as to what to do next, but suspect a number of things: - the example given was for Mongrel - is Passenger different? - there are a number SSL cert chaining tickets in the issues list My goal is to have any puppet client be able to talk to any puppet server, so that if one.s designated puppet server died, we could repoint its CNAME to another puppet server in another datacentre and the client would continue working as if nothing happened. Does anyone have a working configuration that fits this scenario? I've done it 2 ways. 1) Just copy the ca folder to the other servers. (Warning, breaks certificate revocation because of duplicate serial numbers) 2) Use one server as the ca for everything, but have local servers for everything else. (Not as much reliability, but close. You can't sign when the ca goes down, but everything else works.) I have tried using that method, but I've had horrible luck and didn't manage to make it work. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Scalability - Centralised Puppet SSL Cert Issues
There is an open bug with 0.25.x (and 2.6) which breaks certificate chaining. this works well for the 0.24.x series, and I hope that will work again sometime in the near future with 2.6.x series. I would recommend you at the moment to use one machine as the CA, if you can accept the fact that its a single point of failure for creating new certificates. Ohad On Wed, Sep 1, 2010 at 9:14 AM, Patrick kc7...@gmail.com wrote: On Aug 31, 2010, at 10:47 PM, John Warburton wrote: Hi All I am trying to use the section on Centralised Puppet Infrastructure on the Scaling Puppet page - http://projects.puppetlabs.com/projects/1/wiki/Puppet_Scalability No matter what I do, I always end up with the client contacting a puppet server and rejecting the configuration with a dreaded certificate verify failed: err: /File[/var/puppet/confdir/var/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://engnsvr002.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I have started from completely fresh servers, and repeated this behavior a number of times, with clean puppet configs - you can see a very detailed working below. I am stumped as to what to do next, but suspect a number of things: - the example given was for Mongrel - is Passenger different? - there are a number SSL cert chaining tickets in the issues list My goal is to have any puppet client be able to talk to any puppet server, so that if one.s designated puppet server died, we could repoint its CNAME to another puppet server in another datacentre and the client would continue working as if nothing happened. Does anyone have a working configuration that fits this scenario? I've done it 2 ways. 1) Just copy the ca folder to the other servers. (Warning, breaks certificate revocation because of duplicate serial numbers) 2) Use one server as the ca for everything, but have local servers for everything else. (Not as much reliability, but close. You can't sign when the ca goes down, but everything else works.) I have tried using that method, but I've had horrible luck and didn't manage to make it work. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Change date format in puppet-dashboard
I think that implementing the desired behaviour you've specified would definitely be a move in the right direction. Putting site-wide settings in on place would avoid confusion and frustration! Regards, Brett On 27 Aug 2010, at 23:38, Igal Koshevoy wrote: Regarding the timezone and date-time format discussion: we'd like to resolve this and have an issue assigned to one of the next releases. Do the details below capture the intended behavior? http://projects.puppetlabs.com/issues/4605 Application should use the timezone and format set in a site-specific configuration Currently: Timezone is set in config/environment.rb and this file must be edited to alter it. This is bad because this file is versioned and is part of the app. Worse still, not everything in the application uses it — such as Status::by_interval uses the timezone that’s set on the operating system instead. Time/date formats are set in config/initializers/time_formats.rb. These now use international format, but we should accommodate people with other preferences. Charts use their own format, ignoring the timezone and formatting used in the rest of the application.. Desired behavior: Site-wide settings should be implemented, see #4604 Timezone setting should be added to the site-wide settings Date-time format setting should be added to the site-wide settings Everything should use the timezone settings, e.g. the views, Status::by_interval, charts, etc. Everything should use the date-time formatting settings, e.g. the Rails views and charts. -igal -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Error reporting to dashboard clients : err: Could not send report: end of file reached
Hello, I am using puppet 2.6.1rc3 and puppet-dashboard-1.0.3 I set up online reporting setting in puppetmaster configuration: reports = store,log,tagmail,http reporturl = http://localhost:3000/reports It is working, new reports are loaded in puppet-dashboard, but whenever I execute the client I get this error: err: Could not send report: end of file reached I tried running puppetmaster and client in debug mode, but I do not get useful information. If I disable http reporting in puppetmaster config it does not display the error. The error is harmless, it just anoys me. Do you known why this problem happens? Any sugestion do debug it? Thank you. -- Atentamente Héctor Rivas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 2.6.1rc2 does not honor agent's --tags option
Automatic tags don't work for me but explicit tags do since moving to 2.6. On Mon, Aug 30, 2010 at 1:47 PM, Todd Zullinger t...@pobox.com wrote: Jean-Baptiste Quenot wrote: After upgrading Puppet from 0.24.8 to 2.6.1rc2 at my company, I notice that puppet agent's --tags option is not honored anymore: Did you happen to file a ticket for this yet? I need to test more myself, but I believe I saw this the other day too, with rc3. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgphttp://www.pobox.com/%7Etmz/pgp ~~ Years ago fairy tales all began with Once upon a time..., now we know they all begin with, If I am elected... -- Carolyn Warner -- Jason Koppe jason.robert.ko...@gmail.com Cell (210) 445-8242 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Error reporting to dashboard clients : err: Could not send report: end of file reached
2010/9/1 Héctor Rivas Gándara key...@gmail.com: I am using puppet 2.6.1rc3 and puppet-dashboard-1.0.3 It is working, new reports are loaded in puppet-dashboard, but whenever I execute the client I get this error: err: Could not send report: end of file reached Do you known why this problem happens? Any sugestion do debug it? Right now I configured puppetmaster to run with mongrel+apache (as described in http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel) and this error disapeared (???) -- Atentamente Héctor Rivas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet + APT, I am lost...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/31/2010 06:41 PM, Trevor Hemsley wrote: Actually nothing to do with the content of this post but is anyone else getting a lot of mails from puppet-users at least twice? This particular one came through 3 times with the same timestamp and same Message-Id. /me too. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx+RL8ACgkQbwltcAfKi3+YHgCfTZZnTNBNTb/IRxkSeoKR3OW5 cSMAn2cbYt6D290CQv08KObEe0VujALP =tMxT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How report errors and random errors in clients
2010/8/30 Héctor Rivas Gándara key...@gmail.com: The errors appear once or two times, randomly, and if I execute the client again it works properly. They are usually these kind of errors: You will probably find life improved by deploying another mode of operation for the puppetmaster daemon, and using a real database (I use PostgreSQL) for storedconfigs. You are right, I am using both of them... but I thougth that It could scale to 20 clients... I will setup mysql+mongrel. I will tell you if this solves the problem. I just configured mysql for storeconfigs and Apache+mongrel. I still have to test it for a pair of days, but here are my first conclusions: Just using mysql solved most of the problems, but I still had some random errors with ruby syntax. Setting mongrel also reduced, and I think that the executions are now much more faster. But there it still get some random syntax errors with ruby on AIX nodes. specially if I run it with --ignorecache --no-usecacheonfailure. But now these errors are far not so often. Some of them are: //puppetclient.myhost.com//Stage[main]/Cgx_unixserver::Srv_tree/File[/srv] (err): Failed to generate additional resources using 'eval_generate': Invalid parameter 0(0) at /cgx1/puppet/data/test/modules/stow/manifests/package.pp:61 //puppetclient.myhost.com/Puppet (err): Could not retrieve catalog from remote server: Could not intern from pson: private method `gsub' called for 0:Fixnum Wed Sep 01 13:59:56 +0200 2010 //puppetclient.myhost.com/Puppet (err): Could not retrieve catalog; skipping run //puppetclient.myhost.com//Stage[main]/Cgx_unixserver::Profile_local/File[/srv/conf/profile.d] (err): Failed to generate additional resources using 'eval_generate': can't convert Fixnum into String //puppetclient.myhost.com//Stage[main]/Cgx_unixserver::Profile_local/Exec[hook_etc_profile] (err): Could not evaluate: Could not create resource status: undefined method `path' for false:FalseClass at /cgx1/puppet/data/test/services/cgx_unixserver/manifests/profile_local.pp:10 I still have random Segmentation Faults with ruby on AIX. I will ignore them for the moment until I will compile last ruby source (may be 1.9.x) and test it. Maybe all this problems are related to ruby on AIX. Anybody running AIX has same problems? Daniel: Thank you for your reply and suggestion. -- Atentamente Héctor Rivas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How report errors and random errors in clients
On Sep 1, 2010, at 5:28 AM, Héctor Rivas Gándara wrote: I still have random Segmentation Faults with ruby on AIX. I will ignore them for the moment until I will compile last ruby source (may be 1.9.x) and test it. I remember reading somewhere that puppet isn't compatible with 1.9.x versions of ruby. I don't know if this changed with puppet 2.6.x. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How report errors and random errors in clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 1, 2010, at 5:28 AM, Héctor Rivas Gándara wrote: I still have random Segmentation Faults with ruby on AIX. I will ignore them for the moment until I will compile last ruby source (may be 1.9.x) and test it. I remember reading somewhere that puppet isn't compatible with 1.9.x versions of ruby. I don't know if this changed with puppet 2.6.x. this hasn't changed. pete -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx+bFMACgkQbwltcAfKi3+4ywCffIiqzeZMyyErSbVCRSm8IAyt 6DoAnR4jhlvYFAyAMWRJqlIFiQmJRA63 =Hwtj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How report errors and random errors in clients
On Wed, Sep 1, 2010 at 4:55 PM, Patrick kc7...@gmail.com wrote: On Sep 1, 2010, at 5:28 AM, Héctor Rivas Gándara wrote: I still have random Segmentation Faults with ruby on AIX. I will ignore them for the moment until I will compile last ruby source (may be 1.9.x) and test it. I remember reading somewhere that puppet isn't compatible with 1.9.x versions of ruby. I don't know if this changed with puppet 2.6.x. Yes, 0.25 was not compatible, but I thought that 2.6.x were compatible... Then I will keep 1.8.7 version. -- Atentamente Héctor Rivas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing the same file from multiple modules/classes/manifests
You wouldn't by any chance be able to share those DISA SRR manifests to others would you?I've got to do the same thing here at work and it could be a good starting point. On Thu, Dec 17, 2009 at 8:21 PM, David Pheasant dpheas...@gmail.com wrote: Hey everyone, I accidentally sent an earlier (unfinished) version of this message to the list, but hopefully it was moderated out. In any case, I'm wondering about the best way to manage the contents of a single file from multiple modules or maninfests/classes within the same module. Specifically, I'm trying to manage the entries in /etc/pam.d/system- auth-ac (we're running RedHat). Currently we have a module called 'unix-srr' that implements the DISA unix security guidelines. One of the classes within this module (unix- srr::pam) implements security settings that are involved with the system-auth-ac file (password requirements, password history, su usage). All the unix-srr::pam class does is define a file type that updates/ensures the local file matches the version in the unix-srr/ files/etc/pam.d/ module directory on the puppetmaster. Given the above scenario, what would be the best way to add the ability to configure kerberos based authentication? This will also require edits to the system-auth-ac file. I would like to put this into a separate module/class since not all sites will need/require kerberos authentication. As I see it there are two options: 1. Another class that re-implements the file based approach where the source system-auth-ac file already includes the unix-srr changes. 2. Another class that implements an Augeas based solution. I think that we can all agree that Option 1 is a kludge since any changes to the unix-srr version of the system-auth-ac file will also have to be made to the kerberos-auth version; otherwise we'd have one overwriting the other in an infinite loop. Option 2 is viable, but I am annoyed by the amount of time that is required for changes via Augeas since by default Augeas parses all files under /etc/. I have tried setting the 'root' option of the augeas type to '/etc/pam.d/' but this does not work as expected (I also tried this with augtool via the AUGEAS_ROOT environment variable and it failed as well, so this is an issue with Augeas and not puppet). So, does anyone have a suggestion for how to deal with this? I'm pretty new to puppet so it may well be possible that the layout described above is fundamentally flawed. Thanks in advance, -Dave -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet hangs
On Aug 26, 4:22 pm, Brice Figureau brice-pup...@daysofwonder.com wrote: On Thu, 2010-08-26 at 05:08 -0700, kit wrote: This server is 7.2-RELEASE-p4 #0 Just want to confirm this. I am also experiencing this and my setup is new and very simple (3 agents, 1 master and only 2 files). FreeBSD 8.1-RELEASE #0 Puppet 2.6.1.r2 ruby 1.8.7 (2009-12-24 patchlevel 248) [amd64-freebsd8] Best regards, Lasse Brandt -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet hangs
On 26 Aug, 16:22, Brice Figureau brice-pup...@daysofwonder.com wrote: On Thu, 2010-08-26 at 05:08 -0700, kit wrote: This server is 7.2-RELEASE-p4 #0 So it has the fix I sent. debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson This time it was able to ask for 3 files instead of freezing at the 1st one. (gdb) thread apply all Please specify a command following the thread ID list (gdb) bt full My bad, those two commands are in fact only one: thread apply all bt full But the issue is that I'm not sure we can find the issue. It is certainly some locking issues inside ruby that are invalid on FreeBSD. My advice if you really want to get rid of this issue is to rebuild ruby without pthreads. You might also open a ticket on ruby 1.8 bug tracker (or on the FreeBSD ruby port). -- Brice Figureau Follow the latest Puppet Community evolutions onwww.planetpuppet.org! Hello, I think this is the same problem I have seen with my experiments with puppet on freebsd. Puppet randomly hangs after exec-statements. A few examples of where it hangs (ruby18 --debug /usr/local/bin/puppet agent --test --debug --trace) /usr/local/lib/ruby/site_ruby/1.8/puppet/type.rb:1881: warning: instance variable @virtual not initialized /usr/local/lib/ruby/site_ruby/1.8/puppet/type.rb:1881: warning: instance variable @virtual not initialized /usr/local/lib/ruby/site_ruby/1.8/puppet/type.rb:1881: warning: instance variable @virtual not initialized debug: /Stage[main]/Webbase::Backup/Line[sudo_backup]/Exec[echo 'backup ALL= ( root ) NOPASSWD: /usr/sbin/backup' '/usr/local/ etc/sudoers']: Executing check '/usr/bin/grep -qFx 'backup ALL= ( root ) NOPASSWD: /usr/sbin/backup' '/usr/local/etc/sudoers'' debug: Executing '/usr/bin/grep -qFx 'backup ALL= ( root ) NOPASSWD: /usr/sbin/backup' '/usr/local/etc/sudoers'' removing /tmp/puppet20100901-36732-16mgs1p-0...done puppet hangs debug: /Stage[main]/Webbase::Apache/Exec[apache_purge]: Executing check '/bin/test -e /usr/local/etc/apache/ssl.crt' debug: Executing '/bin/test -e /usr/local/etc/apache/ssl.crt' removing /tmp/puppet20100901-50535-1p6j13j-0...done puppet hangs /usr/local/lib/ruby/site_ruby/1.8/puppet/type.rb:1881: warning: instance variable @virtual not initialized debug: /Stage[main]/Webbase::Nas/Exec[/sbin/mount /proc]: Executing check '/sbin/mount | /usr/bin/egrep ^procfs' debug: Executing '/sbin/mount | /usr/bin/egrep ^procfs' removing /tmp/puppet20100901-95974-1n5jg13-0...done puppet hangs I'm not really familliar with debugging tools (especially not for ruby applications), but I've added a few debug-statements and started a loop that runs puppet to see where it hangs. So far all I know is that it hangs after Puppet::Util::SUIDManager.run_and_capture() but before it returns from run(), I'll see if I can find exact statement where it hangs... Regards -- Fredrik Eriksson -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Scalability - Centralised Puppet SSL Cert Issues
Thanks Ohad I have updated the Wiki entry with a warning (where's the blink tag?) and references to the bugs on certificate chaining I'm not 100% comfortable with a single CA, so would it be possible to do the following: ca_server = puppet-ca.example.com rsync the ssl dir every 5 minutes to puppet-ca2.example.com If puppet-ca dies, I would swing the CNAME over to puppet-ca2.example.com Thanks John On 1 September 2010 16:37, Ohad Levy ohadl...@gmail.com wrote: There is an open bug with 0.25.x (and 2.6) which breaks certificate chaining. this works well for the 0.24.x series, and I hope that will work again sometime in the near future with 2.6.x series. I would recommend you at the moment to use one machine as the CA, if you can accept the fact that its a single point of failure for creating new certificates. Ohad On Wed, Sep 1, 2010 at 9:14 AM, Patrick kc7...@gmail.com wrote: On Aug 31, 2010, at 10:47 PM, John Warburton wrote: Hi All I am trying to use the section on Centralised Puppet Infrastructure on the Scaling Puppet page - http://projects.puppetlabs.com/projects/1/wiki/Puppet_Scalability No matter what I do, I always end up with the client contacting a puppet server and rejecting the configuration with a dreaded certificate verify failed: err: /File[/var/puppet/confdir/var/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://engnsvr002.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I have started from completely fresh servers, and repeated this behavior a number of times, with clean puppet configs - you can see a very detailed working below. I am stumped as to what to do next, but suspect a number of things: - the example given was for Mongrel - is Passenger different? - there are a number SSL cert chaining tickets in the issues list My goal is to have any puppet client be able to talk to any puppet server, so that if one.s designated puppet server died, we could repoint its CNAME to another puppet server in another datacentre and the client would continue working as if nothing happened. Does anyone have a working configuration that fits this scenario? I've done it 2 ways. 1) Just copy the ca folder to the other servers. (Warning, breaks certificate revocation because of duplicate serial numbers) 2) Use one server as the ca for everything, but have local servers for everything else. (Not as much reliability, but close. You can't sign when the ca goes down, but everything else works.) I have tried using that method, but I've had horrible luck and didn't manage to make it work. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- John Warburton Ph: 0417 299 600 Email: jwarbur...@gmail.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.