Re: [Puppet Users] Master failover and cert names.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I know that there's a 'certname' option but it looks like it's only valid in the [agent], not the master section. How do I do this? It works in the master section as well. ~pete -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk41QYwACgkQbwltcAfKi38SWACdGScL/R3xv/dh3dNDL6Ko1inW dd0An28vtvwmfUQ/qCGmxSeb7GCpRcG3 =B753 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Master failover and cert names.
On Sat, Jul 30, 2011 at 10:38 PM, James Turnbull ja...@puppetlabs.comwrote: Douglas Garstang wrote: Well, this is frustrating. Let's say I have two puppet masters, where one is active, and the other is a hot stand by. Obviously each is going to have a different FQDN. Everything will work fine when the client talks to the server that signed it's certificate. However, after a failover to the secondary master, it's all going to fail because the FQDN of the master will not match. I've been searching around, reading the mailing list, and am surprised to find very little information on this. The new Pro Puppet book skims over this detail. You'd think they'd have some proof it before selling it. Douglas Did you read the chapter carefully? The Front End Load Balancer Configuration section explains this pretty clearly. Several times. Starts on page 99. Can't find any reference to it. Also, I'd like to point out, that the book talks initially about setting up a separate primary and secondary CA, but after mentioning that these should go on a separate server, only details how to do it on the puppet master. Putting the CA function on a different server is not a trivial thing and I spent a few hours yesterday reading between the lines, trying to work out how to put in on a separate server, and finally gave up about 1am this morning. Doug. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Master failover and cert names.
Well, this is frustrating. Let's say I have two puppet masters, where one is active, and the other is a hot stand by. Obviously each is going to have a different FQDN. Everything will work fine when the client talks to the server that signed it's certificate. However, after a failover to the secondary master, it's all going to fail because the FQDN of the master will not match. I've been searching around, reading the mailing list, and am surprised to find very little information on this. The new Pro Puppet book skims over this detail. You'd think they'd have some proof it before selling it. Anyway, someone suggested just using a DNS alias, but that doesn't seem to work. If my master is called hpma01p1, and the ssl certs are created in the default manner, when I create a DNS alias, and my client talks to hpma01p1 by using 'puppet', it still fails: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key I know that there's a 'certname' option but it looks like it's only valid in the [agent], not the master section. How do I do this? Doug. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Master failover and cert names.
Douglas Garstang wrote: Well, this is frustrating. Let's say I have two puppet masters, where one is active, and the other is a hot stand by. Obviously each is going to have a different FQDN. Everything will work fine when the client talks to the server that signed it's certificate. However, after a failover to the secondary master, it's all going to fail because the FQDN of the master will not match. I've been searching around, reading the mailing list, and am surprised to find very little information on this. The new Pro Puppet book skims over this detail. You'd think they'd have some proof it before selling it. Douglas Did you read the chapter carefully? The Front End Load Balancer Configuration section explains this pretty clearly. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 Join us for PuppetConf http://www.bit.ly/puppetconfsig, September 22nd and 23rd in Portland, Oregon, USA. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.