Yea right now I am not using environments, I would like to move to either passenger or mongrel for a more scalable setup (although I have heard mongrel has issue with memory leaks).
On Sun, Mar 14, 2010 at 1:53 PM, Nigel Kersten <ni...@explanatorygap.net>wrote: > On Sat, Mar 13, 2010 at 11:33 AM, Christopher Johnston > <chjoh...@gmail.com> wrote: > > No I am not using environments with this setup, curious on how that would > > make a difference if the module base is identical for all of my > production > > hosts. > > This probably explains it better. > > http://projects.reductivelabs.com/issues/1557 > > The point is exactly that the module base isn't the same for different > environments. > > > > > By using a subject altname on the cert would that allow for a distributed > > certificate for all my hosts in that specific environment. Since each > > datacenter has its own two puppetmasters they also have their own dns > > domain suffix so that could work. > > > > > > > On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <nig...@google.com> > wrote: > >> > >> On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston > >> <chjoh...@gmail.com> wrote: > >> > Sorry for the late response. That feature looks attractive, but not > >> > feasible at this state. I am still running .24 version of puppet > which > >> > is > >> > working great (although performance could be slightly better!) and I > >> > wasn't > >> > looking to do an upgrade to .25 for at least a month or two as bugs > iron > >> > out. > >> > > >> > Essentially my setup consists of a central git server and a > puppetmaster > >> > in > >> > our main site. In my remote locations I have two puppetmasters > running > >> > in a > >> > cluster using a VIP for its IP address. Since the physical hostname > >> > could > >> > potentially change during a failover situation along with the keys not > >> > being > >> > there (I could put the ssl certs on shared storage or sync them from > >> > hostA > >> > to hostB via rsnapshot via cron) I will end up running into issues > with > >> > the > >> > certs. > >> > >> Are you using environments with this setup? You're going to have > >> undesirable side effects if you are with 0.24.x and a VIP. > >> > >> > >> > The question I have is what is the best way to manage SSL certs in a > >> > more > >> > distributed fashion by using a shared certificate. I don't want to > rely > >> > on > >> > a single instance of puppetmasterd to provide certs as that is a SPOF > to > >> > me > >> > and since my remote sites are distant on the network my preference is > to > >> > use > >> > the local hostA and hostB servers as puppetmasters and ssl servers > with > >> > direct git clones (git pull when a major commit is tested in > >> > development/lab). I also use autosign so certs get created on demand. > >> > >> Is a subject altname on the SSL cert with wildcards for your domain > >> acceptable? > >> > >> > > >> > -Chris > >> > > >> > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <a...@cequrux.com> > wrote: > >> >> > >> >> On Fri, 12 Mar 2010, Christopher Johnston wrote: > >> >> > Reason I am asking is I am having a bunch of SSL issues in > production > >> >> > right > >> >> > now, I need to disable SSL until I get things fixed. > >> >> > >> >> As a workaround, perhaps you could use the > >> >> standalone compile/apply feature (new in 0.25); see > >> >> > >> >> > >> >> < > http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply > >. > >> >> > >> >> --apb (Alan Barrett) > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "Puppet Users" group. > >> >> To post to this group, send email to puppet-us...@googlegroups.com. > >> >> To unsubscribe from this group, send email to > >> >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > >> >> For more options, visit this group at > >> >> http://groups.google.com/group/puppet-users?hl=en. > >> >> > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To post to this group, send email to puppet-us...@googlegroups.com. > >> > To unsubscribe from this group, send email to > >> > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > >> > For more options, visit this group at > >> > http://groups.google.com/group/puppet-users?hl=en. > >> > > >> > >> > >> > >> -- > >> nigel > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-us...@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
