Puppet users - Nov 2010 - Multiple CA / Puppet master environment

Hi,

Does anyone know if this document is up to date (besides the comment
at the top saying it''s not):

http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities

Or does anyone who has a load balanced multi puppet master with some
kind of shared CA confirm that the procedure is accurate?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Thu, Nov 11, 2010 at 9:17 AM, luke.bigum
<luke.bigum@fasthosts.co.uk>wrote:
> Hi,
>
> Does anyone know if this document is up to date (besides the comment
> at the top saying it''s not):
>
>
>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>
> Or does anyone who has a load balanced multi puppet master with some
> kind of shared CA confirm that the procedure is accurate?
>
I would not follow this document unless you need to use chained CAs (which
is a huge pain to get working), if you just need some instructions for
configuring multiple puppetmasters to share a single CA, I have written some
instructions here:

http://bodepd.com/wordpress/?p=7

-Dan


>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Excellent, thanks for that Dan I''ll take a look.

On Nov 11, 5:42 pm, Dan Bode <d...@puppetlabs.com>
wrote:
> Hi,
>
> On Thu, Nov 11, 2010 at 9:17 AM, luke.bigum
<luke.bi...@fasthosts.co.uk>wrote:
>
> > Hi,
>
> > Does anyone know if this document is up to date (besides the comment
> > at the top saying it''s not):
>
>
>http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> > Or does anyone who has a load balanced multi puppet master with some
> > kind of shared CA confirm that the procedure is accurate?
>
> I would not follow this document unless you need to use chained CAs (which
> is a huge pain to get working), if you just need some instructions for
> configuring multiple puppetmasters to share a single CA, I have written
some
> instructions here:
>
> http://bodepd.com/wordpress/?p=7
>
> -Dan
>
> >  --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I too have been after this for some time. I will take a read of this.

Thanks so much for taking the time to write this up Dan.

Thanks!



On Nov 12, 8:26 pm, "luke.bigum" <luke.bi...@fasthosts.co.uk>
wrote:
> Excellent, thanks for that Dan I''ll take a look.
>
> On Nov 11, 5:42 pm, Dan Bode <d...@puppetlabs.com> wrote:
>
> > Hi,
>
> > On Thu, Nov 11, 2010 at 9:17 AM, luke.bigum
<luke.bi...@fasthosts.co.uk>wrote:
>
> > > Hi,
>
> > > Does anyone know if this document is up to date (besides the
comment
> > > at the top saying it''s not):
>
> >
>http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> > > Or does anyone who has a load balanced multi puppet master with
some
> > > kind of shared CA confirm that the procedure is accurate?
>
> > I would not follow this document unless you need to use chained CAs
(which
> > is a huge pain to get working), if you just need some instructions for
> > configuring multiple puppetmasters to share a single CA, I have
written some
> > instructions here:
>
> >http://bodepd.com/wordpress/?p=7
>
> > -Dan
>
> > >  --
> > > You received this message because you are subscribed to the
Google Groups
> > > "Puppet Users" group.
> > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> > > .
> > > For more options, visit this group at
> > >http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Would there be any issues with stored configs? should I either a)
Point both masters to the same PuppetDB server (MySql), or b) Setup a
two way replication between the masters, and connect them individually
to their respective PuppetDB''s..

Thanks,


On Nov 15, 1:13 am, DaveQB <da...@dward.us> wrote:
> I too have been after this for some time. I will take a read of this.
>
> Thanks so much for taking the time to write this up Dan.
>
> Thanks!
>
> On Nov 12, 8:26 pm, "luke.bigum"
<luke.bi...@fasthosts.co.uk> wrote:
>
>
>
>
>
>
>
> > Excellent, thanks for that Dan I''ll take a look.
>
> > On Nov 11, 5:42 pm, Dan Bode <d...@puppetlabs.com> wrote:
>
> > > Hi,
>
> > > On Thu, Nov 11, 2010 at 9:17 AM, luke.bigum
<luke.bi...@fasthosts.co.uk>wrote:
>
> > > > Hi,
>
> > > > Does anyone know if this document is up to date (besides the
comment
> > > > at the top saying it''s not):
>
> > >
>http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> > > > Or does anyone who has a load balanced multi puppet master
with some
> > > > kind of shared CA confirm that the procedure is accurate?
>
> > > I would not follow this document unless you need to use chained
CAs (which
> > > is a huge pain to get working), if you just need some
instructions for
> > > configuringmultiplepuppetmasters to share a single CA, I have
written some
> > > instructions here:
>
> > >http://bodepd.com/wordpress/?p=7
>
> > > -Dan
>
> > > >  --
> > > > You received this message because you are subscribed to the
Google Groups
> > > > "Puppet Users" group.
> > > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > > >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@google
groups.com>
> > > > .
> > > > For more options, visit this group at
> > > >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Does anyone use multiple puppetmasters with storedconfigs?

On Nov 17, 8:57 am, CraftyTech <hmmed...@gmail.com>
wrote:
> Would there be any issues with stored configs? should I either a)
> Point both masters to the same PuppetDB server (MySql), or b) Setup a
> two way replication between the masters, and connect them individually
> to their respective PuppetDB''s..
>
> Thanks,
>
> On Nov 15, 1:13 am, DaveQB <da...@dward.us> wrote:
>
>
>
>
>
>
>
> > I too have been after this for some time. I will take a read of this.
>
> > Thanks so much for taking the time to write this up Dan.
>
> > Thanks!
>
> > On Nov 12, 8:26 pm, "luke.bigum"
<luke.bi...@fasthosts.co.uk> wrote:
>
> > > Excellent, thanks for that Dan I''ll take a look.
>
> > > On Nov 11, 5:42 pm, Dan Bode <d...@puppetlabs.com> wrote:
>
> > > > Hi,
>
> > > > On Thu, Nov 11, 2010 at 9:17 AM, luke.bigum
<luke.bi...@fasthosts.co.uk>wrote:
>
> > > > > Hi,
>
> > > > > Does anyone know if this document is up to date
(besides the comment
> > > > > at the top saying it''s not):
>
> > > >
>http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> > > > > Or does anyone who has a load balanced multi puppet
master with some
> > > > > kind of shared CA confirm that the procedure is
accurate?
>
> > > > I would not follow this document unless you need to use
chained CAs (which
> > > > is a huge pain to get working), if you just need some
instructions for
> > > > configuringmultiplepuppetmasters to share a single CA, I
have written some
> > > > instructions here:
>
> > > >http://bodepd.com/wordpress/?p=7
>
> > > > -Dan
>
> > > > >  --
> > > > > You received this message because you are subscribed to
the Google Groups
> > > > > "Puppet Users" group.
> > > > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > > > To unsubscribe from this group, send email to
> > > > >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@google
groups.com>
> > > > > .
> > > > > For more options, visit this group at
> > > > >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

nfs mount the puppetmaster ssl dir. seperate puppetca (set on clients) play
with it and you''ll figure it out :)
On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk> wrote:
> Hi,
>
> Does anyone know if this document is up to date (besides the comment
> at the top saying it''s not):
>
>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>
> Or does anyone who has a load balanced multi puppet master with some
> kind of shared CA confirm that the procedure is accurate?
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I rsync my ssl dir from CNAMES puppet-ca.example.com to
puppet-ca2.example.com every 5 mins

All clients configuration is set up such that ca_server puppet-ca.example.com

If puppet-ca goes down, I swing the pppet-ca CNAME to the puppet-ca2 server

Note that to make this work I use the same single cert for all puppet
servers and use certdnsnames to include puppet-ca & puppet-ca2 and every
CNAME for every puppet server in the organisation

As for storedconfigs - I''m not there yet, but thought I''d have
MySQL point
to the one server. All the warnings about queuing and the like has pushed
the priority down for me

John

On 18 November 2010 08:29, Scott Smith <scott@ohlol.net> wrote:
> nfs mount the puppetmaster ssl dir. seperate puppetca (set on clients) play
> with it and you''ll figure it out :)
> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk> wrote:
> > Hi,
> >
> > Does anyone know if this document is up to date (besides the comment
> > at the top saying it''s not):
> >
> >
>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
> >
> > Or does anyone who has a load balanced multi puppet master with some
> > kind of shared CA confirm that the procedure is accurate?
> >
> > --
> > You received this message because you are subscribed to the Google
Groups
> "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
John Warburton
Ph: 0417 299 600
Email: jwarburton@gmail.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Nov 17, 6:57 am, CraftyTech <hmmed...@gmail.com>
wrote:
> Would there be any issues with stored configs? should I either a)
> Point both masters to the same PuppetDB server (MySql), or b) Setup a
> two way replication between the masters, and connect them individually
> to their respective PuppetDB''s..
Storeconfigs with "a bunch" of masters using a single DB server
isn''t
a problem. You''ll need to turn on thin storeconfigs eventually. A few
hundred nodes with a few hundred resources per node is probably the
limit of "thick" storeconfigs. The issue isn''t load on the DB
server,
that''s pretty light. The problem with "thick" storeconfigs is
all the
time the masters spent in ActiveRecord land when compiling catalogs.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith <scott@ohlol.net>
wrote:
> nfs mount the puppetmaster ssl dir. seperate puppetca (set on clients) play
> with it and you''ll figure it out :)
Why do you need to nfs mount the puppetmaster SSL dir in this case Scott?

There''s no state to be shared if you''re operating with a
dedicated puppetca.


>
> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk> wrote:
>> Hi,
>>
>> Does anyone know if this document is up to date (besides the comment
>> at the top saying it''s not):
>>
>>
>>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>>
>> Or does anyone who has a load balanced multi puppet master with some
>> kind of shared CA confirm that the procedure is accurate?
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oh, that''s for sharing the puppetmaster SSL keypair between each other,
that''s all.
On Nov 17, 2010 3:53 PM, "Nigel Kersten" <nigel@puppetlabs.com>
wrote:
> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith <scott@ohlol.net> wrote:
>> nfs mount the puppetmaster ssl dir. seperate puppetca (set on clients)
play
>> with it and you''ll figure it out :)
>
> Why do you need to nfs mount the puppetmaster SSL dir in this case Scott?
>
> There''s no state to be shared if you''re operating with a
dedicated
puppetca.
>
>
>
>>
>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk> wrote:
>>> Hi,
>>>
>>> Does anyone know if this document is up to date (besides the
comment
>>> at the top saying it''s not):
>>>
>>>
>>>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>>>
>>> Or does anyone who has a load balanced multi puppet master with
some
>>> kind of shared CA confirm that the procedure is accurate?
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
.
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> --
> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I think it''s a bad idea to deal with the overhead of an NFS mount when
you have a dedicated puppet CA, as on your non-CA servers there should
be no need to ever write to that directory.


On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith <scott@ohlol.net>
wrote:
> Oh, that''s for sharing the puppetmaster SSL keypair between each
other,
> that''s all.
>
> On Nov 17, 2010 3:53 PM, "Nigel Kersten"
<nigel@puppetlabs.com> wrote:
>> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith <scott@ohlol.net>
wrote:
>>> nfs mount the puppetmaster ssl dir. seperate puppetca (set on
clients)
>>> play
>>> with it and you''ll figure it out :)
>>
>> Why do you need to nfs mount the puppetmaster SSL dir in this case
Scott?
>>
>> There''s no state to be shared if you''re operating
with a dedicated
>> puppetca.
>>
>>
>>
>>>
>>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk> wrote:
>>>> Hi,
>>>>
>>>> Does anyone know if this document is up to date (besides the
comment
>>>> at the top saying it''s not):
>>>>
>>>>
>>>>
>>>>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>>>>
>>>> Or does anyone who has a load balanced multi puppet master with
some
>>>> kind of shared CA confirm that the procedure is accurate?
>>>>
>>>> --
>>>> You received this message because you are subscribed to the
Google
>>>> Groups
>>>> "Puppet Users" group.
>>>> To post to this group, send email to
puppet-users@googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>> puppet-users+unsubscribe@googlegroups.com.
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>>
>>
>> --
>> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Puppetmasters (the puppetmasterds serving catalogs) don''t need access
to the
same SSL dir the Puppet CA (the puppetmasterd signing and revoking certs).

But, they do need to share the private key for presenting the certificate
for puppet.domain.com. And the CRL as well, if you use it. That directory
doesn''t have to be shared via NFS. You could rsync the ssl directory
between
your puppetmasters.

On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten <nigel@puppetlabs.com>
wrote:
> I think it''s a bad idea to deal with the overhead of an NFS mount
when
> you have a dedicated puppet CA, as on your non-CA servers there should
> be no need to ever write to that directory.
>
>
> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith <scott@ohlol.net> wrote:
> > Oh, that''s for sharing the puppetmaster SSL keypair between
each other,
> > that''s all.
> >
> > On Nov 17, 2010 3:53 PM, "Nigel Kersten"
<nigel@puppetlabs.com> wrote:
> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith
<scott@ohlol.net> wrote:
> >>> nfs mount the puppetmaster ssl dir. seperate puppetca (set on
clients)
> >>> play
> >>> with it and you''ll figure it out :)
> >>
> >> Why do you need to nfs mount the puppetmaster SSL dir in this case
> Scott?
> >>
> >> There''s no state to be shared if you''re
operating with a dedicated
> >> puppetca.
> >>
> >>
> >>
> >>>
> >>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk>
> wrote:
> >>>> Hi,
> >>>>
> >>>> Does anyone know if this document is up to date (besides
the comment
> >>>> at the top saying it''s not):
> >>>>
> >>>>
> >>>>
> >>>>
>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
> >>>>
> >>>> Or does anyone who has a load balanced multi puppet master
with some
> >>>> kind of shared CA confirm that the procedure is accurate?
> >>>>
> >>>> --
> >>>> You received this message because you are subscribed to
the Google
> >>>> Groups
> >>>> "Puppet Users" group.
> >>>> To post to this group, send email to
puppet-users@googlegroups.com.
> >>>> To unsubscribe from this group, send email to
> >>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> >>>> For more options, visit this group at
> >>>> http://groups.google.com/group/puppet-users?hl=en.
> >>>>
> >>>
> >>> --
> >>> You received this message because you are subscribed to the
Google
> Groups
> >>> "Puppet Users" group.
> >>> To post to this group, send email to
puppet-users@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> >>> For more options, visit this group at
> >>> http://groups.google.com/group/puppet-users?hl=en.
> >>>
> >>
> >>
> >>
> >> --
> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to
puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> >> For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
> >>
> >
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
>
>
> --
> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
http://about.me/scoot
http://twitter.com/ohlol

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Nov 18, 2010 at 12:01 PM, Scott Smith <scott@ohlol.net>
wrote:
> Puppetmasters (the puppetmasterds serving catalogs) don''t need
access to the
> same SSL dir the Puppet CA (the puppetmasterd signing and revoking certs).
> But, they do need to share the private key for presenting the certificate
> for puppet.domain.com. And the CRL as well, if you use it. That directory
> doesn''t have to be shared via NFS. You could rsync the ssl
directory between
> your puppetmasters.
Absolutely. I just try to avoid NFS where possible.
>
> On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten <nigel@puppetlabs.com>
wrote:
>>
>> I think it''s a bad idea to deal with the overhead of an NFS
mount when
>> you have a dedicated puppet CA, as on your non-CA servers there should
>> be no need to ever write to that directory.
>>
>>
>> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith <scott@ohlol.net>
wrote:
>> > Oh, that''s for sharing the puppetmaster SSL keypair
between each other,
>> > that''s all.
>> >
>> > On Nov 17, 2010 3:53 PM, "Nigel Kersten"
<nigel@puppetlabs.com> wrote:
>> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith
<scott@ohlol.net> wrote:
>> >>> nfs mount the puppetmaster ssl dir. seperate puppetca (set
on clients)
>> >>> play
>> >>> with it and you''ll figure it out :)
>> >>
>> >> Why do you need to nfs mount the puppetmaster SSL dir in this
case
>> >> Scott?
>> >>
>> >> There''s no state to be shared if you''re
operating with a dedicated
>> >> puppetca.
>> >>
>> >>
>> >>
>> >>>
>> >>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bigum@fasthosts.co.uk>
>> >>> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> Does anyone know if this document is up to date
(besides the comment
>> >>>> at the top saying it''s not):
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities
>> >>>>
>> >>>> Or does anyone who has a load balanced multi puppet
master with some
>> >>>> kind of shared CA confirm that the procedure is
accurate?
>> >>>>
>> >>>> --
>> >>>> You received this message because you are subscribed
to the Google
>> >>>> Groups
>> >>>> "Puppet Users" group.
>> >>>> To post to this group, send email to
puppet-users@googlegroups.com.
>> >>>> To unsubscribe from this group, send email to
>> >>>> puppet-users+unsubscribe@googlegroups.com.
>> >>>> For more options, visit this group at
>> >>>> http://groups.google.com/group/puppet-users?hl=en.
>> >>>>
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to
the Google
>> >>> Groups
>> >>> "Puppet Users" group.
>> >>> To post to this group, send email to
puppet-users@googlegroups.com.
>> >>> To unsubscribe from this group, send email to
>> >>> puppet-users+unsubscribe@googlegroups.com.
>> >>> For more options, visit this group at
>> >>> http://groups.google.com/group/puppet-users?hl=en.
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>> >>
>> >> --
>> >> You received this message because you are subscribed to the
Google
>> >> Groups
>> >> "Puppet Users" group.
>> >> To post to this group, send email to
puppet-users@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> puppet-users+unsubscribe@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/puppet-users?hl=en.
>> >>
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to
puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscribe@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/puppet-users?hl=en.
>> >
>>
>>
>>
>> --
>> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> --
> http://about.me/scoot
> http://twitter.com/ohlol
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I''m only using one master for CA (following
http://bodepd.com/wordpress/?p=7).
But When I run puppetd -t from a client, against an alternate master
(puppetd -t --server alt_master.domain.com), I get "err: Could not
retrieve catalog from remote server: hostname not match with the
server certificate".  Shouldn''t I be able to run puppet against
any of
the masters?

Thanks,



On Nov 18, 3:43 pm, Nigel Kersten <ni...@puppetlabs.com>
wrote:
> On Thu, Nov 18, 2010 at 12:01 PM, Scott Smith <sc...@ohlol.net>
wrote:
> > Puppetmasters (the puppetmasterds serving catalogs) don''t
need access to the
> > same SSL dir the Puppet CA (the puppetmasterd signing and revoking
certs).
> > But, they do need to share the private key for presenting
thecertificate
> > for puppet.domain.com. And the CRL as well, if you use it. That
directory
> > doesn''t have to be shared via NFS. You could rsync the ssl
directory between
> > your puppetmasters.
>
> Absolutely. I just try to avoid NFS where possible.
>
>
>
>
>
>
>
>
>
>
>
> > On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten
<ni...@puppetlabs.com> wrote:
>
> >> I think it''s a bad idea to deal with the overhead of an
NFS mount when
> >> you have a dedicated puppet CA, as on your non-CA servers there
should
> >> be no need to ever write to that directory.
>
> >> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith
<sc...@ohlol.net> wrote:
> >> > Oh, that''s for sharing the puppetmaster SSL keypair
between each other,
> >> > that''s all.
>
> >> > On Nov 17, 2010 3:53 PM, "Nigel Kersten"
<ni...@puppetlabs.com> wrote:
> >> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith
<sc...@ohlol.net> wrote:
> >> >>> nfs mount the puppetmaster ssl dir. seperate puppetca
(set on clients)
> >> >>> play
> >> >>> with it and you''ll figure it out :)
>
> >> >> Why do you need to nfs mount the puppetmaster SSL dir in
this case
> >> >> Scott?
>
> >> >> There''s no state to be shared if you''re
operating with a dedicated
> >> >> puppetca.
>
> >> >>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bi...@fasthosts.co.uk>
> >> >>> wrote:
> >> >>>> Hi,
>
> >> >>>> Does anyone know if this document is up to date
(besides the comment
> >> >>>> at the top saying it''s not):
>
> >>
>>>>http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> >> >>>> Or does anyone who has a load balanced multi
puppet master with some
> >> >>>> kind of shared CA confirm that the procedure is
accurate?
>
> >> >>>> --
> >> >>>> You received this message because you are
subscribed to the Google
> >> >>>> Groups
> >> >>>> "Puppet Users" group.
> >> >>>> To post to this group, send email to
puppet-users@googlegroups.com.
> >> >>>> To unsubscribe from this group, send email to
> >> >>>> puppet-users+unsubscribe@googlegroups.com.
> >> >>>> For more options, visit this group at
> >> >>>>http://groups.google.com/group/puppet-users?hl=en.
>
> >> >>> --
> >> >>> You received this message because you are subscribed
to the Google
> >> >>> Groups
> >> >>> "Puppet Users" group.
> >> >>> To post to this group, send email to
puppet-users@googlegroups.com.
> >> >>> To unsubscribe from this group, send email to
> >> >>> puppet-users+unsubscribe@googlegroups.com.
> >> >>> For more options, visit this group at
> >> >>>http://groups.google.com/group/puppet-users?hl=en.
>
> >> >> --
> >> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> >> >> --
> >> >> You received this message because you are subscribed to
the Google
> >> >> Groups
> >> >> "Puppet Users" group.
> >> >> To post to this group, send email to
puppet-users@googlegroups.com.
> >> >> To unsubscribe from this group, send email to
> >> >> puppet-users+unsubscribe@googlegroups.com.
> >> >> For more options, visit this group at
> >> >>http://groups.google.com/group/puppet-users?hl=en.
>
> >> > --
> >> > You received this message because you are subscribed to the
Google
> >> > Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to
puppet-users@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscribe@googlegroups.com.
> >> > For more options, visit this group at
> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> --
> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> >> --
> >> You received this message because you are subscribed to the Google
Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to
puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscribe@googlegroups.com.
> >> For more options, visit this group at
> >>http://groups.google.com/group/puppet-users?hl=en.
>
> > --
> >http://about.me/scoot
> >http://twitter.com/ohlol
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> --
> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Only if all your servers use the *same* certificate and are listed as
alternate DNS names in certdnsnames. (Search the group for certdnsnames for
examples - including mine)

John

On 30 November 2010 04:24, CraftyTech <hmmedina@gmail.com> wrote:
>     I''m only using one master for CA (following
> http://bodepd.com/wordpress/?p=7).
> But When I run puppetd -t from a client, against an alternate master
> (puppetd -t --server alt_master.domain.com), I get "err: Could not
> retrieve catalog from remote server: hostname not match with the
> server certificate".  Shouldn''t I be able to run puppet
against any of
> the masters?
>
> Thanks,
>
>
>
> On Nov 18, 3:43 pm, Nigel Kersten <ni...@puppetlabs.com> wrote:
> > On Thu, Nov 18, 2010 at 12:01 PM, Scott Smith <sc...@ohlol.net>
wrote:
> > > Puppetmasters (the puppetmasterds serving catalogs)
don''t need access
> to the
> > > same SSL dir the Puppet CA (the puppetmasterd signing and
revoking
> certs).
> > > But, they do need to share the private key for presenting
> thecertificate
> > > for puppet.domain.com. And the CRL as well, if you use it. That
> directory
> > > doesn''t have to be shared via NFS. You could rsync the
ssl directory
> between
> > > your puppetmasters.
> >
> > Absolutely. I just try to avoid NFS where possible.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten
<ni...@puppetlabs.com>
> wrote:
> >
> > >> I think it''s a bad idea to deal with the overhead of
an NFS mount when
> > >> you have a dedicated puppet CA, as on your non-CA servers
there should
> > >> be no need to ever write to that directory.
> >
> > >> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith
<sc...@ohlol.net> wrote:
> > >> > Oh, that''s for sharing the puppetmaster SSL
keypair between each
> other,
> > >> > that''s all.
> >
> > >> > On Nov 17, 2010 3:53 PM, "Nigel Kersten"
<ni...@puppetlabs.com>
> wrote:
> > >> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith
<sc...@ohlol.net>
> wrote:
> > >> >>> nfs mount the puppetmaster ssl dir. seperate
puppetca (set on
> clients)
> > >> >>> play
> > >> >>> with it and you''ll figure it out :)
> >
> > >> >> Why do you need to nfs mount the puppetmaster SSL
dir in this case
> > >> >> Scott?
> >
> > >> >> There''s no state to be shared if
you''re operating with a dedicated
> > >> >> puppetca.
> >
> > >> >>> On Nov 11, 2010 9:18 AM, "luke.bigum"
<luke.bi...@fasthosts.co.uk
> >
> > >> >>> wrote:
> > >> >>>> Hi,
> >
> > >> >>>> Does anyone know if this document is up to
date (besides the
> comment
> > >> >>>> at the top saying it''s not):
> >
> > >> >>>>
> http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
> >
> > >> >>>> Or does anyone who has a load balanced multi
puppet master with
> some
> > >> >>>> kind of shared CA confirm that the procedure
is accurate?
> >
> > >> >>>> --
> > >> >>>> You received this message because you are
subscribed to the
> Google
> > >> >>>> Groups
> > >> >>>> "Puppet Users" group.
> > >> >>>> To post to this group, send email to
> puppet-users@googlegroups.com.
> > >> >>>> To unsubscribe from this group, send email
to
> > >> >>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > >> >>>> For more options, visit this group at
> > >>
>>>>http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >>> --
> > >> >>> You received this message because you are
subscribed to the Google
> > >> >>> Groups
> > >> >>> "Puppet Users" group.
> > >> >>> To post to this group, send email to
> puppet-users@googlegroups.com.
> > >> >>> To unsubscribe from this group, send email to
> > >> >>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > >> >>> For more options, visit this group at
> > >>
>>>http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >> --
> > >> >> Nigel Kersten - Puppet Labs - 
http://www.puppetlabs.com
> >
> > >> >> --
> > >> >> You received this message because you are subscribed
to the Google
> > >> >> Groups
> > >> >> "Puppet Users" group.
> > >> >> To post to this group, send email to
puppet-users@googlegroups.com
> .
> > >> >> To unsubscribe from this group, send email to
> > >> >>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > >> >> For more options, visit this group at
> > >> >>http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> > --
> > >> > You received this message because you are subscribed to
the Google
> > >> > Groups
> > >> > "Puppet Users" group.
> > >> > To post to this group, send email to
puppet-users@googlegroups.com.
> > >> > To unsubscribe from this group, send email to
> > >> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > >> > For more options, visit this group at
> > >> >http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> --
> > >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
> >
> > >> --
> > >> You received this message because you are subscribed to the
Google
> Groups
> > >> "Puppet Users" group.
> > >> To post to this group, send email to
puppet-users@googlegroups.com.
> > >> To unsubscribe from this group, send email to
> > >>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > >> For more options, visit this group at
> > >>http://groups.google.com/group/puppet-users?hl=en.
> >
> > > --
> > >http://about.me/scoot
> > >http://twitter.com/ohlol
> >
> > > --
> > > You received this message because you are subscribed to the
Google
> Groups
> > > "Puppet Users" group.
> > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> > > For more options, visit this group at
> > >http://groups.google.com/group/puppet-users?hl=en.
> >
> > --
> > Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
John Warburton
Ph: 0417 299 600
Email: jwarburton@gmail.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.