Anyone ever migrated the puppetca to a different host? What are the steps that are involved?
On Mon, Jul 02, 2007 at 05:57:23PM -0700, Digant C Kasundra wrote:> Anyone ever migrated the puppetca to a different host? What are the steps > that are involved?scp -a $ssldir newserver:$ssldir, more or less. - Matt -- "When you have a Leatherman, everything looks Leathermanipulable." -- Nathan McCoy, in the Monastery
--On Tuesday, July 03, 2007 7:49 PM +1000 Matthew Palmer <mpalmer@hezmatt.org> wrote:>> Anyone ever migrated the puppetca to a different host? What are the >> steps that are involved? > > scp -a $ssldir newserver:$ssldir, more or less. >That''s a bit simplistic, isn''t it? I would assume I need to have atleast something running on the said newserver. :) I would also assume I need to configure the clients and masters to know where the puppetca is that they should use.
On Tue, Jul 03, 2007 at 10:57:32AM -0700, Digant C Kasundra wrote:> --On Tuesday, July 03, 2007 7:49 PM +1000 Matthew Palmer > <mpalmer@hezmatt.org> wrote: > > >> Anyone ever migrated the puppetca to a different host? What are the > >> steps that are involved? > > > > scp -a $ssldir newserver:$ssldir, more or less. > > That''s a bit simplistic, isn''t it?Hence the "more or less".> I would assume I need to have atleast something running on the said > newserver. :)Sure. And you''ve got to turn it on, too.> I would also assume I need to configure the clients and masters to know > where the puppetca is that they should use.Only if your CA is separate from the Puppetmaster itself. I always run my CA on the config distrib puppetmaster, so the problem never arises. Running a CA separated from the puppetmaster is a different problem, and largely orthogonal from your original question, as the same issues arise when you''re setting up a new CA that''s separated from the puppetmaster. - Matt
On Jul 3, 2007, at 12:57 PM, Digant C Kasundra wrote:> That''s a bit simplistic, isn''t it? I would assume I need to have > atleast > something running on the said newserver. :) I would also assume I > need to > configure the clients and masters to know where the puppetca is > that they > should use.There are separate ''caserver'' and ''caport'' configuration parameters you can use to do this. -- Reality is that which, when you stop believing in it, doesn''t go away. -- Philip K. Dick, "How to Build a Universe" --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
--On Tuesday, July 03, 2007 04:40:55 PM -0500 Luke Kanies <luke@madstop.com> wrote:> On Jul 3, 2007, at 12:57 PM, Digant C Kasundra wrote: > >> That''s a bit simplistic, isn''t it? I would assume I need to have >> atleast >> something running on the said newserver. :) I would also assume I >> need to >> configure the clients and masters to know where the puppetca is >> that they >> should use. > > There are separate ''caserver'' and ''caport'' configuration parameters > you can use to do this. >And how will this effect my existing certs? -- Digant C Kasundra <digant@stanford.edu> Technical Lead, ITS Unix Systems and Applications, Stanford University
--On Wednesday, July 04, 2007 07:31:32 AM +1000 Matthew Palmer <mpalmer@hezmatt.org> wrote:> On Tue, Jul 03, 2007 at 10:57:32AM -0700, Digant C Kasundra wrote: >> --On Tuesday, July 03, 2007 7:49 PM +1000 Matthew Palmer >> <mpalmer@hezmatt.org> wrote: >> >> >> Anyone ever migrated the puppetca to a different host? What are the >> >> steps that are involved? >> > >> > scp -a $ssldir newserver:$ssldir, more or less. >> >> That''s a bit simplistic, isn''t it? > > Hence the "more or less". > >> I would assume I need to have atleast something running on the said >> newserver. :) > > Sure. And you''ve got to turn it on, too.Don''t make me hunt you down, Matt. ;-)> >> I would also assume I need to configure the clients and masters to know >> where the puppetca is that they should use. > > Only if your CA is separate from the Puppetmaster itself. I always run my > CA on the config distrib puppetmaster, so the problem never arises. > Running a CA separated from the puppetmaster is a different problem, and > largely orthogonal from your original question, as the same issues arise > when you''re setting up a new CA that''s separated from the puppetmaster.I have a feeling somewhere along the way, I''m going to get stuck. My ultimate goal is to not only have a separate puppet CA, but ultimately to load balance the two puppetmasters, except our archaic networking group doesn''t offer hardware load balancing so I''m not sure how well this is going to work. I need to review the puppet internals on how certs are handled and managed. -- Digant C Kasundra <digant@stanford.edu> Technical Lead, ITS Unix Systems and Applications, Stanford University
On Jul 3, 2007, at 4:53 PM, Digant C Kasundra wrote:> And how will this effect my existing certs?Not at all. The CA stuff is only ever used when you get your host cert. Really. -- Aizu''s Second Law: What changes the world is communication, not information. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com