On Sat, Mar 13, 2010 at 11:33 AM, Christopher Johnston <[email protected]> wrote: > No I am not using environments with this setup, curious on how that would > make a difference if the module base is identical for all of my production > hosts.
This probably explains it better. http://projects.reductivelabs.com/issues/1557 The point is exactly that the module base isn't the same for different environments. > > By using a subject altname on the cert would that allow for a distributed > certificate for all my hosts in that specific environment. Since each > datacenter has its own two puppetmasters they also have their own dns > domain suffix so that could work. > > On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <[email protected]> wrote: >> >> On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston >> <[email protected]> wrote: >> > Sorry for the late response. That feature looks attractive, but not >> > feasible at this state. I am still running .24 version of puppet which >> > is >> > working great (although performance could be slightly better!) and I >> > wasn't >> > looking to do an upgrade to .25 for at least a month or two as bugs iron >> > out. >> > >> > Essentially my setup consists of a central git server and a puppetmaster >> > in >> > our main site. In my remote locations I have two puppetmasters running >> > in a >> > cluster using a VIP for its IP address. Since the physical hostname >> > could >> > potentially change during a failover situation along with the keys not >> > being >> > there (I could put the ssl certs on shared storage or sync them from >> > hostA >> > to hostB via rsnapshot via cron) I will end up running into issues with >> > the >> > certs. >> >> Are you using environments with this setup? You're going to have >> undesirable side effects if you are with 0.24.x and a VIP. >> >> >> > The question I have is what is the best way to manage SSL certs in a >> > more >> > distributed fashion by using a shared certificate. I don't want to rely >> > on >> > a single instance of puppetmasterd to provide certs as that is a SPOF to >> > me >> > and since my remote sites are distant on the network my preference is to >> > use >> > the local hostA and hostB servers as puppetmasters and ssl servers with >> > direct git clones (git pull when a major commit is tested in >> > development/lab). I also use autosign so certs get created on demand. >> >> Is a subject altname on the SSL cert with wildcards for your domain >> acceptable? >> >> > >> > -Chris >> > >> > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <[email protected]> wrote: >> >> >> >> On Fri, 12 Mar 2010, Christopher Johnston wrote: >> >> > Reason I am asking is I am having a bunch of SSL issues in production >> >> > right >> >> > now, I need to disable SSL until I get things fixed. >> >> >> >> As a workaround, perhaps you could use the >> >> standalone compile/apply feature (new in 0.25); see >> >> >> >> >> >> <http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply>. >> >> >> >> --apb (Alan Barrett) >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To post to this group, send email to [email protected]. >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> > >> >> >> >> -- >> nigel >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
