Hi Kevin, Are you stuck on anything specifically? Do you have an existing single Puppet-Master-and-CA with signed client certs? I've done a migration from a single master/ca to separate CA with IP load balanced masters (not RR DNS balanced) following Dan's blog post about creating certs with Cert DNS Names.
I'd advise taking an rsync backup of /var/lib/puppet/ssl before starting so you can always go back to a single master and start again if it goes horribly wrong. What I did was create two new servers, one for a Puppet CA and one for a second Puppet Master. I used my existing CA on the old master to generate new certificates with Cert DNS Names of 'puppet-ca' for my CA and 'puppet' for the new Master and distributed them to the new servers accordingly, confirming both new clients can talk Puppet to the old master. I've then rsync'd the entire ssl/ca/ dir from old master to new puppet- ca as well as put all my modules and manifests on new puppet-ca, then confirmed puppet-ca can use itself as a master. I NFS mount the modules, manifests and ca directory from puppet-ca onto the new puppet server, and confirm it also works as a Puppet master. I have puppet- ca's Apache listen on 8141 for cert signing only, and use ldirectord (ipvsadm / Linux Virtual Server) to Direct Route port 8140 traffic to the new Puppet master, making sure it still functions behind a load balancer. I set ca=false in this Puppet Master's puppet.conf so it won't act as a CA. I then make the old Puppet master the same as the new (NFS mounts replacing writeable directories), add it to the load balancer. At this point all the existing puppet clients are still pointing to the old server, but it's ok as no new signing requests are coming in. I then use Puppet to do a site wide change of all client puppet.confs to say ca_server=puppet-ca and ca_port=8141, and tell them all that the IP address of "puppet" is now the cluster IP (/etc/hosts). Aside from the time that Apache was down on the masters when doing file system stuff, the migration was seamless. Hope that helps, -Luke On Jan 26, 12:11 pm, linuxbsdfreak <linuxbsdfr...@gmail.com> wrote: > Hello All, > > I require some help for creating multiple puppetmaster with separate > Puppet CA server. I followed the steps given in the link below for > creating a separate CA server > > http://bodepd.com/wordpress/?p=7 > > My requirement is to create 2 Puppetmasters running nginx and unicorn > which will be loadbalanced via RR DNS with a separate single Puppet > CA server only for issuing and signing certificate requests also > running under nginx and unicorn. Anyone who has had any success in > setting up this way, could help me point me to the configuration. > > Regards, > Kevin -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
