2009/6/11 chakkerz <[email protected]>: > Which leads to my two questions: > 1) how do i keep the certs on both prod hosts ? I assume they ID the > host uniquely, so just copying them across is not the way forward, > though i'm planning to use some sort of IP failover between the two > prod hosts, and i'm thinking signing against the shared IP may be > sufficient (have not tried).
So, you don't need the client certs on any puppetmaster. All that is important is that the client trusts the master's cert, and that the master trusts the client's cert. Probably the easiest way of doing that is (1) just putting the same cert on both puppetmasters, or (2) including the contents of both ca.pem on all hosts, and lastly (3) creating a rootCA that all parties trust and just sign all the keys accordingly. And also fwiw, the host is only identified by its FQDN by default - its the CN in the cert. > 2) has anyone used puppet with IP failover ? My Red Hat Cluster Suite > nodes are currently intent on upsetting me so i'm inclined not to go > that way, rather i'm considering ucarp. Regardless, has anyone tried > puppet + IP failover? We did it in active-active with load balancers, which could have easily been active-passive. Its just a simple web service from the perspective of high availability. When the move to REST is complete it'll be even more simple. > I guess there is a 3: is there a way of just specifying two hosts in > the config (and what does that mean to certificates)? No, I assume the thought being high availability would be handled outside of the client. This has come up a few times now though... I think I'd rather see ordered A or SRV RRs. .r' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
