Re: [Puppet Users] Re: CA puppetmaster
Yes, I did, because I copied the whole ca/ directory from my primary. And private/ folder is inside of ca/ What I discovered right now - client gets secondary puppetmasters' name and compare with the name in certificate. If they do not match each other , it does not accept certificate. On 31 January 2014 13:33, José Luis Ledesma wrote: > I don't have experience with ca in ha, but I think you should copy also ca > private keys. > El 31/01/2014 21:19, "Vassiliy Vins" escribió: > >> So, I have to copy ca/ directory from primary puppetmaster to secondary >> one? Right? >> >> I did, no success , the same message Server hostname 'puppetserver' did >> not match server certificate; expected puppetslave >> I can formulate my question with another words - why does client expect >> puppetslave, where it takes from this host name? >> May be I need to put cert_name line on my secondary puppetmaster? >> >> >> >> On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote: >>> >>> >>> >>> On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: Hi! I have 2 puppetmasters with High availability configuration. If first dead, second starts. Could you tell me which file from $ssl_dir of primary should I copy to secondary puppetmaster that clients recognize it as primary one? Any amendments should I make inside files? Thank you >>> >>> The cert material is in /var/lib/puppet/ssl/ca, you would need the >>> >>> $SSL_dir/ca/private/ca.pass >>> $SSL_dir/ca/ca*.pem >>> >>> I think this might work better if you have a floating virtual IP address >>> that switches between the two puppet servers. You will need to keep the >>> entire $SSL_dir, and all the manifest dirs synced, so when your second >>> machine comes up, it has all the latest signed certs, content etc. You can >>> use DRBD for the entire paprtion, or csync for selected dirs to achieve >>> this ... >>> >>> But given puppet only implements changes to files ... is it really so >>> critical that it requires a HA solution of this complexity ? I kind of have >>> my doubts. If puppet goes offline for 30mins while you restore a vm image, >>> most of the clients will error once, and then resume working the next time >>> they check in. >>> >>> Andrew >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com >> . >> For more options, visit https://groups.google.com/groups/opt_out. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAF_B3dc-c2S86eaJs8SV%3D0EJkt38Z7o6z_BdyqBX72tJPw4ZaA%40mail.gmail.com > . > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YyX%2B55dTQu%3DMYKDLj2AW4WTfbF4g9%3Dtgkg6TohJ_%2BoxHg%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: CA puppetmaster
I don't have experience with ca in ha, but I think you should copy also ca private keys. El 31/01/2014 21:19, "Vassiliy Vins" escribió: > So, I have to copy ca/ directory from primary puppetmaster to secondary > one? Right? > > I did, no success , the same message Server hostname 'puppetserver' did > not match server certificate; expected puppetslave > I can formulate my question with another words - why does client expect > puppetslave, where it takes from this host name? > May be I need to put cert_name line on my secondary puppetmaster? > > > > On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote: >> >> >> >> On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: >>> >>> Hi! >>> >>> I have 2 puppetmasters with High availability configuration. >>> >>> If first dead, second starts. >>> >>> Could you tell me which file from $ssl_dir of primary should I copy to >>> secondary puppetmaster that clients recognize it as primary one? >>> >>> Any amendments should I make inside files? >>> >>> Thank you >>> >> >> The cert material is in /var/lib/puppet/ssl/ca, you would need the >> >> $SSL_dir/ca/private/ca.pass >> $SSL_dir/ca/ca*.pem >> >> I think this might work better if you have a floating virtual IP address >> that switches between the two puppet servers. You will need to keep the >> entire $SSL_dir, and all the manifest dirs synced, so when your second >> machine comes up, it has all the latest signed certs, content etc. You can >> use DRBD for the entire paprtion, or csync for selected dirs to achieve >> this ... >> >> But given puppet only implements changes to files ... is it really so >> critical that it requires a HA solution of this complexity ? I kind of have >> my doubts. If puppet goes offline for 30mins while you restore a vm image, >> most of the clients will error once, and then resume working the next time >> they check in. >> >> Andrew >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF_B3dc-c2S86eaJs8SV%3D0EJkt38Z7o6z_BdyqBX72tJPw4ZaA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: CA puppetmaster
So, I have to copy ca/ directory from primary puppetmaster to secondary one? Right? I did, no success , the same message Server hostname 'puppetserver' did not match server certificate; expected puppetslave I can formulate my question with another words - why does client expect puppetslave, where it takes from this host name? May be I need to put cert_name line on my secondary puppetmaster? On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote: > > > > On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: >> >> Hi! >> >> I have 2 puppetmasters with High availability configuration. >> >> If first dead, second starts. >> >> Could you tell me which file from $ssl_dir of primary should I copy to >> secondary puppetmaster that clients recognize it as primary one? >> >> Any amendments should I make inside files? >> >> Thank you >> > > The cert material is in /var/lib/puppet/ssl/ca, you would need the > > $SSL_dir/ca/private/ca.pass > $SSL_dir/ca/ca*.pem > > I think this might work better if you have a floating virtual IP address > that switches between the two puppet servers. You will need to keep the > entire $SSL_dir, and all the manifest dirs synced, so when your second > machine comes up, it has all the latest signed certs, content etc. You can > use DRBD for the entire paprtion, or csync for selected dirs to achieve > this ... > > But given puppet only implements changes to files ... is it really so > critical that it requires a HA solution of this complexity ? I kind of have > my doubts. If puppet goes offline for 30mins while you restore a vm image, > most of the clients will error once, and then resume working the next time > they check in. > > Andrew > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: CA puppetmaster
Thank you, Andrew! I'll try tomorrow. In High Availability I have floating IP (better to say redundant IP). I don't think that we need HA for puppet, but my boss insists on. Regards, Vassiliy On 29 January 2014 21:37, Andrew wrote: > > > On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: >> >> Hi! >> >> I have 2 puppetmasters with High availability configuration. >> >> If first dead, second starts. >> >> Could you tell me which file from $ssl_dir of primary should I copy to >> secondary puppetmaster that clients recognize it as primary one? >> >> Any amendments should I make inside files? >> >> Thank you >> > > The cert material is in /var/lib/puppet/ssl/ca, you would need the > > $SSL_dir/ca/private/ca.pass > $SSL_dir/ca/ca*.pem > > I think this might work better if you have a floating virtual IP address > that switches between the two puppet servers. You will need to keep the > entire $SSL_dir, and all the manifest dirs synced, so when your second > machine comes up, it has all the latest signed certs, content etc. You can > use DRBD for the entire paprtion, or csync for selected dirs to achieve > this ... > > But given puppet only implements changes to files ... is it really so > critical that it requires a HA solution of this complexity ? I kind of have > my doubts. If puppet goes offline for 30mins while you restore a vm image, > most of the clients will error once, and then resume working the next time > they check in. > > Andrew > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/7f499bfa-15ee-4a93-bce6-6da4fd72e0fe%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YwP%2BRsnT4LM0TsWDTr_3UJT5pw8LsOd1BBmLzQbbkCcpA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: CA puppetmaster
On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: > > Hi! > > I have 2 puppetmasters with High availability configuration. > > If first dead, second starts. > > Could you tell me which file from $ssl_dir of primary should I copy to > secondary puppetmaster that clients recognize it as primary one? > > Any amendments should I make inside files? > > Thank you > The cert material is in /var/lib/puppet/ssl/ca, you would need the $SSL_dir/ca/private/ca.pass $SSL_dir/ca/ca*.pem I think this might work better if you have a floating virtual IP address that switches between the two puppet servers. You will need to keep the entire $SSL_dir, and all the manifest dirs synced, so when your second machine comes up, it has all the latest signed certs, content etc. You can use DRBD for the entire paprtion, or csync for selected dirs to achieve this ... But given puppet only implements changes to files ... is it really so critical that it requires a HA solution of this complexity ? I kind of have my doubts. If puppet goes offline for 30mins while you restore a vm image, most of the clients will error once, and then resume working the next time they check in. Andrew -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7f499bfa-15ee-4a93-bce6-6da4fd72e0fe%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
