On Tue, Jan 18, 2011 at 10:41, Robert Scheer <r...@xs4all.net> wrote:
> Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain,
> and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer
> to balance over some 10 puppetmaster processes. The configured
> SSLCertificateFile in Apache is that of puppet-new.domain
>
> How do I get a node to stop complaining when connecting to
> puppet-old.domain (ending up at puppet-new.domain through the CNAME)?
Did you generate a new server certificate for the new host, or reuse
the certificate from the old host? My guess is the former, because
doing the later would get the same complaint when machines connected
to the new name. :)
The trick you want is to generate a server certificate that includes
both names in it, using the subject alternate names part of the
certificate, to tell the client that it certifies both names as being
valid for the same host.
[...]
> The reason I want this to work is because I want to be able to remove the
> puppet-old server without having to wait for every single node. There are
> dozens who haven't connected to the puppet-old server in quite a while for
> various reasons (down, hanging puppetd, network issues, ...), and I'm sure
> most of them will after a reboot, but I'd like to redirect those to the
> puppet-new server without having to keep the puppet-old server running.
We don't do anything extra-fancy with SSL to match the hostname or
anything, so this is just regular old SSL troubles.
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@rimspace.net>
✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
