The secondaries are each clients of the first one. Does the puppetmaster process use the same certificate as puppetd?
Luke On Sep 23, 2009, at 21:38 EDT, Ohad Levy wrote: > Did you try signing your secondary puppet master as a client of the > first one? > > make sure you use fqdn when referring to the second one, as its > certificate would be valid to "puppet" or its fqdn. > > Ohad > > On Thu, Sep 24, 2009 at 4:37 AM, lschiere <luke.schie...@gmail.com> > wrote: > > I have tried copying over the contents of the /var/lib/puppet/ssl/ca > directory, but apparently something with in it is specific to the > host, such it then complains that the certificates and keys do not > match. I also saw > http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities > , > but I do not want to put apache on each host. With cfengine2, it was > very simple to have cfservd running on each host, distribute the keys > to each, and then pull result files from the clients to the central > server. I cannot seem to find an example of a similar setup with > puppet. > > Luke > > On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com> wrote: > > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer > <luke.schie...@gmail.com>wrote: > > > > > > > > > > > > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote: > > > > >> The standard way to do that is: > > >>>> source => > > >>>> ["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename > > >>>> ","puppet:///foo/file"] > > >>>> - check for modules/foo/file-www4, then file-jaunty, then file > > > > >>>> * sourceselect: > > > > >> Whether to copy all valid sources, or just the first one. This > parameter > > >> is only used in recursive copies; by default, the first valid > source is > > >> the only one used as a recursive source, but if this parameter > is set to > > >> all, then all valid sources will have all of their contents > copied to > > >> the local host, and for sources that have the same file, the > source > > >> earlier in the list will be used. Valid values are first, all. > > > > >> So you can have both variants. > > > > >> cheers pete > > > > > When I tried to do this with > > > > source => [ 'puppet://host1/files/target','puppet://host2/files/ > target'] > > it works fine for the first host, which acts as the puppetmaster, > but not > > for the second one. It complains about an unknown CA. > > > > I realize that this is because the CA certificates differ on the > two hosts, > > and the certificate puppet is using to pull files is only signed > by one of > > the two, the one it gets its configuration from. > > > > Is there a key or keys I can distribute to each node so that I can > pull > > files from all of them? > > > > Thanks! > > > > Luke- Hide quoted text - > > > > - Show quoted text - > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
