Puppet users - Jun 2010 - Complex SSL Setup

Afternoon,

I''m searching for documentation or hints on how to achieve a somewhat
more complex SSL setup than is provided "out of the box". 
I''ve looked
around via Google and don''t see anything immediately obvious.

I guess the most logical place to start is to state my aims:

    1) Run a pair of puppetmaster boxes in each security context,
        with these looked after by a single and central puppetmaster.
        This will configure Puppet and things like Passenger for us,
        plus setup scheduled jobs to pull manifests out of VCS.

    2) Have clients be able to talk to either puppetmaster within
        their specific security context, and then use something to
        perform IP failover for availability reasons.

I am therefore guessing we need to run a CA on the internal server
acting as the puppetmaster, and use that to build a suitable chain of
trust?  Where does that leave me for using things like ''puppet
cert''
and can any of the tools already shipped with Puppet assist in getting
this all operational?  Conversely am I likely to encounter resistance
from Puppet tools in trying to achieve these aims?

Has anyone implemented an identical or similar solution, did you
document it anywhere publicly, what problems did you encounter, and do
you have any tips?

Many Thanks,
 - Alex

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Alex - Did your searching turn this up?

http://projects.puppetlabs.com/projects/puppet/wiki/Multiple_Certificate_Authorities

That''s my note from January at the top, sadly - I thought there were
some fixes in 0.25.5 around this but related bugs still seem to be open:

http://projects.puppetlabs.com/issues/3770
http://projects.puppetlabs.com/issues/3120

-=Eric

On Jun 29, 2010, at 5:25 AM, Alex Howells wrote:
> Afternoon,
> 
> I''m searching for documentation or hints on how to achieve a
somewhat
> more complex SSL setup than is provided "out of the box". 
I''ve looked
> around via Google and don''t see anything immediately obvious.
> 
> I guess the most logical place to start is to state my aims:
> 
>    1) Run a pair of puppetmaster boxes in each security context,
>        with these looked after by a single and central puppetmaster.
>        This will configure Puppet and things like Passenger for us,
>        plus setup scheduled jobs to pull manifests out of VCS.
> 
>    2) Have clients be able to talk to either puppetmaster within
>        their specific security context, and then use something to
>        perform IP failover for availability reasons.
> 
> I am therefore guessing we need to run a CA on the internal server
> acting as the puppetmaster, and use that to build a suitable chain of
> trust?  Where does that leave me for using things like ''puppet
cert''
> and can any of the tools already shipped with Puppet assist in getting
> this all operational?  Conversely am I likely to encounter resistance
> from Puppet tools in trying to achieve these aims?
> 
> Has anyone implemented an identical or similar solution, did you
> document it anywhere publicly, what problems did you encounter, and do
> you have any tips?
> 
> Many Thanks,
> - Alex
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
 - Eric Sorenson - N37 17.255 W121 55.738  - http://twitter.com/ahpook  -

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.