I'm trying to split out my certificate authority and have one CA and
multiple masters, currently using round robin DNS, possibly using
HAproxy later.
Got most of the way there but tangled up in names and certificates.
When the Puppet CA generated it's certificate the PTR record for it's
IP pointed back to it's domain name ("henson") and it had a CNAME
"puppet" and it happily answers to both names because it generated a
cert with:
X509v3 Subject Alternative Name:
DNS:henson.domain.com, DNS:puppet, DNS:puppet.domain.com
I'm in development mode so got it in my head I wanted at least two
masters (looking to support about 2k systems out of the gate with some
bursty coudiness ontop of that) so I lost the CNAME made puppet A
records this host's IP and another ("burton") and added a puppet-ca
CNAME to henson figuring I could just keep using the CA.
calling the systems by their "real" names as returned by 'facter fqdn'
or a reverslook up on thier IP works fine and "henson" is accepted as
"puppet" due to it's altName list, but "burton" (which was installed
as a normal client to get it's initial signed cert) didn't get any
altName fields.
I'm OK with flushing all my certs and starting over, but I have a
couple of questions. How does the puppet CA populate the altName
field? and can I make it do what I want for both the CA and the non-CA
servers or do I just need to suck it up, go get cozy with the openssl
docs and do the server certs by hand if I want them fancy like that?
Thanks,
-Jon
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
