Issue #14034 has been updated by Daniel Pittman. Status changed from Unreviewed to Rejected
It sounds like you have multiple masters, all acting as the CA, and sharing the CA directory via NFS - is that correct? That isn't a supported configuration, and it has know problems like the serial number reuse you identified. Unfortunately, it is actually kind of difficult to make that multi-master CA arrangement work - it takes a whole bunch of distributed locking that we have not implemented. (Not just file level locking; you need to coordinate a bunch of different parts of the CA process to make sure, eg, you don't work off stale cached information.) Instead, we recommend you use a single "active" CA, even if you share the files with other machines via NFS to allow quick bring-up of another CA for DR purposes. (...and by "recommend" I mean "we know you will get data corruption if you don't do that, so please don't." ;) ---------------------------------------- Bug #14034: Serial number reusage with Puppet certificates (MFS) https://projects.puppetlabs.com/issues/14034#change-61095 Author: Anders Larsson Status: Rejected Priority: Normal Assignee: Category: Target version: Affected Puppet version: Keywords: certificate, revoked, nfs, serial reused Branch: When adding multiple new nodes to a puppetmaster (using Passenger+Apache2) during a short interval there's a huge possibility certificate serial number will be reused if NFS is used. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
