The way I've done it in the past is that you have one Puppet instance dedicated to the initial Puppet run.. It handles the CA plus farms out a puppet.conf which contains the local server info.
The main issue I found is that Puppet doesn't seem to change masters without a restart even though it says that it has re-read the config file, so I got around it by doing a small Puppet run that only signs the cert and distributes the puppet.conf in the finish script of the OS install, then once the host rebooted that it found its correct Puppet server and then continues the upgrade from there. It can mean the CA-owning Puppet master only ever gets used on the initial install but maybe it can be used more with multiple environments - say build and production? Greg On Jan 5, 7:44 am, Christopher Johnston <chjoh...@gmail.com> wrote: > That could get ugly, so I would have to create one CA, sign it then > distribute it to all of my masters. Then also delete my certs on the > clients and re-issue new ones. > > Is my thinking correct here? > > -Chris > > > > > > > > On Wed, Jan 4, 2012 at 3:31 PM, Nan Liu <n...@puppetlabs.com> wrote: > > On Wed, Jan 4, 2012 at 12:12 PM, Christopher Johnston > > <chjoh...@gmail.com> wrote: > > > My inventory server is a puppetmaster, but its master of itself and is > > only > > > being using for inventory services. If I point new clients to it will > > work > > > fine. > > > > So think of my setup like this: > > > > puppet1.company.com and puppet2.company.com are two dedicated servers in > > > each datacenter that handle local client connectivity only. By using > > > certname=puppet I can copy the same CA to puppet2.company.com and > > support > > > failing over if the primary server goes down. This setup is mimic'ed in > > > about 20 other sites. > > > > The inventory server is a remote puppet master sitting in a backoffice > > > datacenter that is setup with mysql and puppet dashboard to receive > > reports > > > and inventory services from all 40 of the masters. > > > > So with this current arrangement how would I go about making sure the > > > inventory server has a cert that is signed by the 40 other CAs. > > > Certificate chain is an outstanding bug, so at the moment one CA sign > > all puppet master + inventory server cert. > > > Nan > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
