I agree one CA is more than capable and the load balancing point here is 
pretty much moot.  I as well will have many nodes dispersed world wide 
within DC's and with Hosting providers, like AWS and DO.  Having a flexible 
and simple setup which can operate independent of other sites is a 
requirement.  We will be building and tearing down nodes frequently so 
having zero downtime with the provisioning and CM services is also a 
requirement here.   Aside from the simple puppetserver / ca config the 
haproxy setup i'm running is very straight forward.  With the shared 
certificate I can call all masters with the same name and the puppet web 
server points to the correct cert.  

I honestly haven't encountered the problem everyone says exists with 
active/active CA's.

A CA's job is to sign new certificates.  When a node is toredown the cert 
will be wiped at all CA's so in the event the hostname is reused there 
shouldn't be a problem.  

Where does the problem arise with serial number conflicts?  How can i 
reproduce this issue?

Also is the traffic from your haproxy to the masters not using ssl? 

You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit
For more options, visit

Reply via email to