> My two masters are each also their own CA to minimize traffic and firewall > rules between them. Based on your responses, this difference in CA's appears > be the crux of the issue....which seems obvious now. > > Given that masters A & B are their own CA, how can I send puppetdb reports > over port 8081 https from B to A?
It certainly is tricky to do this right with two root CA certificates, one answer is to use intermediate CA's (this way the trust is global, defined by a root CA), but this means you are left on your own to do PKI: https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html. In a perfect world the PKI facility we should could still sign certificates with an intermediate, but alas this doesn't seem to be the case. Even if you have your own PKI, I think we still come back to similar problems as I'm about to describe below. In the past others (including myself) have done tricks to support a single root CA between two services, but this is hackish and you end up with a split CRL list and serial number collision issues (since afaik, we assign them sequentially, but its been awhile since I've looked at this). I've even gone so far as to switch the serial number assignment to be random instead of sequential, but this required custom patches. Others have just hacked around different starting numbers for their serials in each service, but either way you're still left with split CRL data, which might be a problem if you really on using revocation regularly - perhaps in a split DC solution where you don't care about master failover between sites this doesn't matter. Anyway I'm conjecturing, in reality these kinds of ideas are hackish and not for the feint hearted. As far as what people do today and the best solution to avoid a single CA service, I'm not across it. I'd probably see if others have any suggestions on the matter. Today, I think the official/maintained solution is a global CA service. Of course you can go back to your proxy idea, but this won't scale very well ultimately, as you'll need to add more of these proxies for each DC you add just to establish trust. But it would work, I guess :-). ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTk4gKUwD8MR8m8yBR4YcVN-efTKh-7%2BLWXayWNs5GLQJw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
