Yes, I am aware that by going with mongrel/passenger as it will be handled by mod_ssl. I setup mongrel in my lab today, didn't take much to get going (puppet wiki was VERY helpful). Unfortunately passenger doesn't look to be packaged up other then in a gem (didn't investigate further then a quick check).
I am not sure option 1) would be the best thing for me to use considering I have very diverse environment that scales out to quite a few datacenters. That seems like it would be a single point of failure for me in the event the SSL server cannot be reached (network outage, power, etc). I run a stateless environment that has a pretty big production dependency on puppet. I think I may look into option 2) with a CA chain hierarchy (using the wiki centralised puppet infrastructure setup on the wiki). More to come tomorrow if I get stuck! -Chris On Mon, Mar 15, 2010 at 11:26 AM, Ohad Levy <ohadl...@gmail.com> wrote: > ssl has nothing to do with mongrel or passenger, as ssl is handled in > apache (or ngnix). > > as far as it goes for SSL, you have two options: > 1. a single CA > 2. CA chain hierarchy. > > the first option is simple, one of your puppetmasters will be your CA, and > every sign will run on it, you would require it for any new certs that are > introduced to your setup. > > the second option works as well, and is described at > http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalabilityunder > Centralised_Puppet_Infrastructure > > if you can afford using a single machine for signing your certs, I > would recommend you going to option 1 (as someone using option 2 for a few > years now). > > Cheers, > Ohad > > On Mon, Mar 15, 2010 at 11:10 PM, Christopher Johnston <chjoh...@gmail.com > > wrote: > >> I will keep that in mind, ideally I would like to keep SSL in place for >> security purposes I was really looking for a quick hack/slash to disable SSL >> for the time being just to get past some auth issues. >> >> Longer term though from a scalability POV, I will in the end have over >> 24-30 puppetmasters across my environment in various datacenters so SSL >> management, redundancy and performance are some big concerns. >> >> What is the preferred approach to handling this? Seems mongrel is the >> preferred setup? or passenger? >> >> -Chris >> >> >> On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan >> <tvaug...@onyxpoint.com>wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> If you front Puppet with Apache per the Mongrel instructions and set the >>> SSLCipherSuite to 'NULL' in Apache, then it will turn off all encryption. >>> >>> Trevor >>> >>> On 03/12/2010 05:57 PM, Dan Bode wrote: >>> > >>> > >>> > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston >>> > <chjoh...@gmail.com <mailto:chjoh...@gmail.com>> wrote: >>> > >>> > Is there a way to disable SSL all together for testing? >>> > >>> > >>> > I would use the puppet executable for testing/evaluation. It removes >>> the >>> > need to even have a server. >>> > >>> > >>> > -Chris >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> > Groups "Puppet Users" group. >>> > To post to this group, send email to puppet-users@googlegroups.com >>> > <mailto:puppet-users@googlegroups.com>. >>> > To unsubscribe from this group, send email to >>> > >>> > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >>> > >>> > <mailto:puppet-users%2bunsubscr...@googlegroups.com<puppet-users%252bunsubscr...@googlegroups.com> >>> >. >>> > For more options, visit this group at >>> > http://groups.google.com/group/puppet-users?hl=en. >>> > >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> > Groups "Puppet Users" group. >>> > To post to this group, send email to puppet-us...@googlegroups.com. >>> > To unsubscribe from this group, send email to >>> > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >>> . >>> > For more options, visit this group at >>> > http://groups.google.com/group/puppet-users?hl=en. >>> >>> - -- >>> Trevor Vaughan >>> Vice President, Onyx Point, Inc. >>> email: tvaug...@onyxpoint.com >>> phone: 410-541-ONYX (6699) >>> >>> - -- This account not approved for unencrypted sensitive information -- >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.9 (GNU/Linux) >>> >>> iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD >>> 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 >>> =qTaN >>> -----END PGP SIGNATURE----- >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-us...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
