The masters would get certname = puppet, so the cert filename would end up being puppet.pem. You can then create a DNS entry for the VIP called puppet.<domain>.<suffix>. You just have to copy that cert to the secondary nodes as well as keeping the client certs in sync so when a failover happens you have the client certs on the failover node.
-Chris On Wed, May 19, 2010 at 11:45 AM, Matt Juszczak <m...@atopia.net> wrote: > * keepalived to carry the vip >> * certname = puppet >> * copy the cert from the primary to the secondary >> * use a tool to keep /var/lib/puppet/ssl sync'd between the nodes (cron? >> rsnapshot?) >> >> Might have to get a little creative.. I think you can also do a common CA, >> but that wasn't a requirement for my >> environment. >> > > So I assume you're only talking about certname = puppet on the master, > correct? The clients would still generate hostname based certs? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
