Check out this WIP doc where I describe how to get intermediate certs working. It *is* possible but there are a couple of caveats described in the doc.
If anyone's motivated to try this out and let me know how it works for you I'd be hugely appreciative. I got it to "works for me" level of readiness but would like some further validation so we can move it up to being a supported configuration with the bugs ironed out: https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28 --eric0 On Wednesday, June 8, 2016 at 9:34:25 AM UTC-7, Salty Old Cowdawg wrote: > > @Dan White: that link was pretty much what I was looking for. I take it > then you have openssl sign certs for each master (grand and remote) and > configure Puppet to use those certs. > > The tricky part is going to be installing the new certs in production. > Sorta like changing a tire when the car is still moving. > > On Wed, Jun 8, 2016 at 10:57 AM Dan White <d_e_wh...@icloud.com> wrote: > >> Could the regional masters be set up as intermediate certificate >> authorities ? >> I found a link that describes the basics. >> >> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html >> >> Dan White | d_e_wh...@icloud.com >> ------------------------------------------------ >> “Sometimes I think the surest sign that intelligent life exists elsewhere in >> the universe is that none of it has tried to contact us.” (Bill Waterson: >> Calvin & Hobbes) >> >> >> On Jun 08, 2016, at 10:40 AM, Peter Berghold <salty.cowd...@gmail.com> >> wrote: >> >> In the puppet setup that I have where I work it has been increasingly >> more desirable if not required to have each of our data centers be able to >> operate standalone. Because of this I've been Googling around looking for a >> methodology to allow multiple certificate authorities in puppet. Currently >> we have our grand master puppet server in one Data Center and we have >> several Puppet Masters in other data centers in geographically diverse >> areas. When a new client is added with our current setup that new client >> has to reach out and get it certificate signed by The Grandmaster. This is >> getting us through setting up puppet currently but long-term this is >> undesirable. >> >> Can anybody point me to a methodology for setting up multiple certificate >> authorities that actually works? Looks like the pages on the topic I have >> read so far are outdated. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com >> >> <https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/aebdd4da-b782-4a9f-9d6f-b8902d8359a2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
