On Wed, Sep 9, 2009 at 9:11 PM, jcbollinger <john.bollin...@stjude.org>wrote:
> > > > On Sep 8, 9:01 pm, Ohad Levy <ohadl...@gmail.com> wrote: > > Yes, its possible :) > > > > but that would mean a CA chain, and eventually that each client can query > > all puppetmasters (which I'm not sure this is what you are looking for > in). > > I'm not sure I quite follow the logic there. Is the theory that the > the intermediate puppetmaster will use the same certificate to > identify itself to its puppetmaster that it uses to sign (and verify) > its own clients' certificates? And following from that, are you > suggesting that the top level puppetmasters will then find their own > certificate in the chain of trust, for the low-level clients, and > therefore allow them to connect? > I have this setup currently, I wrote a wiki page about it at: http://reductivelabs.com/trac/puppet/wiki/PuppetScalability under Centralized Puppet Infrastructure > That sounds reasonable, but is it all documented / demonstrable, or > just speculative? I don't see any special reason why it would have to > have been implemented that way, but perhaps it falls out naturally. > > > maybe setup a different puppet.conf for your puppet master clients (With > a > > different ssl directory etc?) > > And something along those lines would indeed seem to be a viable > solution. More generally (and abstractly), isolate the intermediate > puppetmaster's trust relationship with its own puppetmaster from its > relationships with its clients. > Yeah, that makes more sense in your setup. Ohad --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
