On 19/12/11 12:05, ollies...@googlemail.com wrote: > Thanks, > > On our older infrastrcture if we wanted to scale out we just copied > the ssldir and changed the filenames to the FQDN of the new master > server. certdnsnames would be wildcarded.
The problem with this way of scaling is that you won't be able to revoke a certificate. The reason is that more than one certificate can have the same serial. I believe it's better to dedicate a master to be a CA only master. Then you point your clients to this ca. If you fear the SPOF, then you can use a pair of CA server sharing ssldir either through rsync or anything else allowing sharing files. > Now using 2.7.9 how do we do certificates so we could scale out > horizontally from behind this loadbalancer ? There's no reasons you can't do what you were doing before upgrading to the 2.7.9 version. If what you were doing doesn't work anymore, then it might be a bug you should report. > Tring this approach leads now to this:- > > # puppet cert --list --all > warning: The `certdnsnames` setting is no longer functional, > after CVE-2011-3872. We ignore the value completely. > > For your own certificate request you can set `dns_alt_names` in the > configuration and it will apply locally. There is no configuration > option to > set DNS alt names, or any other `subjectAltName` value, for another > nodes > certificate. > > Alternately you can use the `--dns_alt_names` command line option to > set the > labels added while generating your own CSR. > - <CLIENT FQDN> (FA:C4:68:C1:30:E2:95:9E:48:AB:ED:E4:A7:BF:3F:19) > (certificate signature failure) > > Going around in circles somewhat trying to get a modern puppet setup > with a potential to scale horizontally. The command just complains about the certdnsnames option that has been removed. You can stil use dns_alt_names to generate clients and/or server certificates with embedded subjectAltName extension. -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
