On Sep 8, 9:01 pm, Ohad Levy <ohadl...@gmail.com> wrote:
> Yes, its possible :)
>
> but that would mean a CA chain, and eventually that each client can query
> all puppetmasters (which I'm not sure this is what you are looking for in).
I'm not sure I quite follow the logic there. Is the theory that the
the intermediate puppetmaster will use the same certificate to
identify itself to its puppetmaster that it uses to sign (and verify)
its own clients' certificates? And following from that, are you
suggesting that the top level puppetmasters will then find their own
certificate in the chain of trust, for the low-level clients, and
therefore allow them to connect?
That sounds reasonable, but is it all documented / demonstrable, or
just speculative? I don't see any special reason why it would have to
have been implemented that way, but perhaps it falls out naturally.
> maybe setup a different puppet.conf for your puppet master clients (With a
> different ssl directory etc?)
And something along those lines would indeed seem to be a viable
solution. More generally (and abstractly), isolate the intermediate
puppetmaster's trust relationship with its own puppetmaster from its
relationships with its clients.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
