Yup certname = puppet on both masters (primary/secondary). Yea if you are setting up a fresh server I usually clear all the pem files under /var/lib/puppet/ssl then restart puppetmasterd so it generated a fresh new cert. I then rsync the tree over to the secondary.
I have most of this in a dumb script, but hopefully you get the idea. For your fileserver question.. I don't believe thats needed, at least I dont have anything in there for that. I only have [configs] [plugins] [facts]. I think the new version of 25+ now uses auth.conf for access the certificate directories. -Chris On Wed, May 19, 2010 at 12:30 PM, Matt Juszczak <m...@atopia.net> wrote: > Makes sense. > > So that's just a certname setting inside the [puppetmasterd] config section > of /etc/puppet.conf on the master, correct? But that needs to be set as > puppet before the puppetmaster is started and any certificates are signed. > > Keeping on this same subject, perhaps you can answer the fileserver.conf > question as well - if a node does not have a signed cert, can it still > access the fileserver, regardless of the allow/deny rules inside > fileserver.conf? > > -Matt > > > On Wed, 19 May 2010, Christopher Johnston wrote: > > The masters would get certname = puppet, so the cert filename would end up >> being puppet.pem. You can then create a DNS >> entry for the VIP called puppet.<domain>.<suffix>. You just have to copy >> that cert to the secondary nodes as well as >> keeping the client certs in sync so when a failover happens you have the >> client certs on the failover node. >> >> -Chris >> >> On Wed, May 19, 2010 at 11:45 AM, Matt Juszczak <m...@atopia.net> wrote: >> * keepalived to carry the vip >> * certname = puppet >> * copy the cert from the primary to the secondary >> * use a tool to keep /var/lib/puppet/ssl sync'd between the >> nodes (cron? rsnapshot?) >> >> Might have to get a little creative.. I think you can also do a >> common CA, but that wasn't a >> requirement for my >> environment. >> >> >> So I assume you're only talking about certname = puppet on the master, >> correct? The clients would still generate >> hostname based certs? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
