On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: > > That's easy: dedicate two host to be CAs only. One is the hot standby of > > the first one. You can either manually bring it up when the first one > > fails, or use something like drbd+pacemaker to do it automatically. > > Then have all your other masters run in "no ca" mode. Each can have a > > different server CN, or they can share the same server certificate. > > This is explained in length in the Pro puppet [1] book if you need. > > > > > Maybe it's just not possible right now and I am flogging a dead horse > > > and should accept a SPOF for a CA but can easily scale out the > > > puppetmasters fine. > > > > The simplest architecture for load balanced puppet is the single CA one, > > of course that means you can live with the SPOF. BTW, the SPOF is only > > at certificate signing. In the event your CA becomes unresponsive, it > > won't prevent your actual nodes to get a catalog. > > > > I highly recommend you to get a copy of the "Pro Puppet" book. It > > contains an extensive chapter on load balancing puppet master (both with > > the SPOF and without it). > > Thanks. > > Have got a copy of the book and that is what I was working from. As > per the > example in the book it's fine running the CA's in the localhost sort > of mode > but when switching from locahost to other servers off the load- > balancer server > I get the cert errors:- > > err: /File[/var/lib/puppet/lib]: Failed to generate additional > resources using 'eval_generate: certificate verify failed. This is > often because the time is out of sync on the server or client > > > Do I have to clean out the puppetmaster setup on the load-balancer > host ? > > On the CA servers I removed the ssldir and ran "puppet master" to > generate a > new ssl data. > > Then with a new client I get the new cert generated but then the above > error.
That's expected because when the client connects to one of your loadbalanced server it receives a certificate that was signed/generated under the previous CA. You actually need your loadbalanced masters to get a certificate from your current CA. This certificate will then be used when talking to your nodes. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
