I agree one CA is more than capable and the load balancing point here is
pretty much moot. I as well will have many nodes dispersed world wide
within DC's and with Hosting providers, like AWS and DO. Having a flexible
and simple setup which can operate independent of other sites is a
requirement. We will be building and tearing down nodes frequently so
having zero downtime with the provisioning and CM services is also a
requirement here. Aside from the simple puppetserver / ca config the
haproxy setup i'm running is very straight forward. With the shared
certificate I can call all masters with the same name and the puppet web
server points to the correct cert.
I honestly haven't encountered the problem everyone says exists with
A CA's job is to sign new certificates. When a node is toredown the cert
will be wiped at all CA's so in the event the hostname is reused there
shouldn't be a problem.
Where does the problem arise with serial number conflicts? How can i
reproduce this issue?
Also is the traffic from your haproxy to the masters not using ssl?
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.