-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2011 12:09 AM, Nick Moffitt wrote: > vagn scott: >> Funny you should mention that. I have been playing around with >> separating the puppetmaster config from the agent config. See here: >> >> http://agawamtech.com/blog/?p=383 > > I solved this by having the puppetmasters all proxypass (they're running > in apache+passenger) their CA port (specified in the puppet.conf as a > non-standard one) up to a central CA.
I would recommend the first way, actually the only thing you need to do is to set a seperate ssldir option within the master section (and probably appropriate certname, certdnsnames options to fit your dns alias for the puppetmaster) to seperate the ca from the client config. And why can't you simply point your client forth and back between multiple masters that do not share a CA? This is how OpenSSL works and how it protects the communication of your puppet nodes. ~pete -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4xBwUACgkQbwltcAfKi39uxwCdGeu+XuZ03lC6fK00SuhvEryY GB8AmgNQ1Gyc+t0K6fA1JwfmLfACMssP =+E2M -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
