On Fri, Sep 10, 2010 at 4:44 PM, John Ferlito <jo...@inodes.org> wrote: > On Fri, Sep 10, 2010 at 03:09:50PM -0700, Nigel Kersten wrote: >> On Fri, Sep 10, 2010 at 10:40 AM, Steven <snem...@hotmail.com> wrote: >> > You need to setup a global CA infrastructure. This would be one root with >> > all the puppet servers being trusted. Then any puppet server can sign certs >> > and accept certs signed by the other servers. Once that is done the rest of >> > the work is easy. Some people have written instructions on setting it up >> > before. You will need to search for them. >> >> Or set up a single CA server and use the 'ca_server' directive on your >> clients, removing all CA functionality from your "normal" >> puppetmasters with --no-ca. > > In that type of set up, If you lose your CA does that only prevent > signing new clients or is the CA used in the normal course of a puppet > run as well?
It only prevents signing of new clients. Existing clients continue to function fine. Our methodology here is to regularly rsync the relevant data from the puppetca to all the other puppetmasters, and we can easily enable CA functionality on any other puppetmaster, and we use a CNAME for the CA. That way if the CA is completely dead, we can quickly turn any other server into the CA by modifying a DNS entry. > Cheers, > John > > -- > John > Blog http://www.inodes.org > LCA2011 http://www.lca2011.org.au > -- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
