(inline) On Wed, May 14, 2014 at 09:15:49AM +0000, Cassiano Leal wrote: > Hi, > > I'd like to ask for advice on certificate trust in a scenario with multiple > puppet masters. > > I'm in a position where I have roughly 50 environments, each with their own > puppetmaster, running their own CAs.
In your position I would probably bite the bullet and pick one puppetmaster to be the CA. Then I would have 49 non-CA puppetmasters and one CA puppetmaster, each being able to serve one of my 50 puppet environments: http://docs.puppetlabs.com/puppet/latest/reference/environments.html http://docs.puppetlabs.com/puppet/latest/reference/environments_classic.html (I'm a bit nonplussed that you're still sane after running 50 separate environments.) > I also have another environment from where I provide some centralised > services, such as an MCollective broker, a central Logstash/Elasticsearch > instance, etc., and that's got its own puppetmaster as well. > > I have installed PuppetDB in this environment, and its cert is signed by this > central puppetmaster's CA. > > Now I'm in a position where my environments don't trust the PuppetDB's cert > because they have no knowledge of the CA that signed it. > > Is there a way to make them communicate? I reckon making the individual > puppetmasters trust the central CA would do it, but how would I go around to > do that? I don't know of another way than turning 49 of your puppetmasters into non-CA puppetmasters and re-keying everything based on the new CA, sorry. I can wonder if puppet would use more than one CA certificate in the CA cert file, but then you'd have a massive pile of work keeping that distributed and updated even if it did. Better to go with one CA. Where I am only one puppetmaster has the following set to true: http://docs.puppetlabs.com/references/latest/configuration.html#ca Everything else has this set, as well as "server": http://docs.puppetlabs.com/references/latest/configuration.html#caserver That way no matter what (geographically dispersed) puppetmaster an agent is pointed towards, it will still take CA services from a single puppetmaster. (If that puppetmaster breaks we'll restore the CA files from backup and promote another puppetmaster to be the CA.) You will have to re-key everything, but they're all puppetized hosts so this will be relatively easy. > > Thanks, > Cassiano Leal > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/9F2FD551-D61D-423D-A3C4-2B19095DF2EA%40gamesys.co.uk. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140514141823.GA29005%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
