I think the dated docs you are reading are probably it :-) Running very much on 6 year old memory here, when I tried it last... You create a new Puppet CA cert with multiple SANs on it for each of your Puppet Masters' hostnames, and distribute that to each Master. The agents can be signed by any Puppet Master, and will then be able to speak to any Puppet Master because essentially it's the same CA (in multiple places). The issue is if you make use of the certificate revocation list to deny agents - because each CA could potentially issue the same serial number, this is not going to work. If you don't rely on the revocation list then this is not an issue. All this may have changed over the years.
Another way to do it is have a central signer (you can split the CA functionality from other parts of the Master in puppet.conf) and then sync the signed certs to each Master. That way if your central CA goes down you can't build any *new* agents, but your existing nodes will work because the Puppet Masters at each DC have a copy of the signed certificates. The revocation list works with this approach. That may satisfy your "DCs running independently" requirement. Question: if your DCs are moving to be a stand alone architecture, why do you need your Agents to check in to other Masters? Why not just have a CA per DC? The obvious down side is if your DC's Puppet Master goes down you can't do any Puppet runs in that DC, but if you've got multiple anyway I'll assume your Masters are deployed with Puppet themselves, so shouldn't be that hard to recover / rebuild? -- Luke Bigum Senior Systems Engineer Information Systems ----- Original Message ----- From: "Peter Berghold" <salty.cowd...@gmail.com> To: "puppet-users" <puppet-users@googlegroups.com> Sent: Wednesday, 8 June, 2016 15:40:19 Subject: [Puppet Users] Multiple CA setup. In the puppet setup that I have where I work it has been increasingly more desirable if not required to have each of our data centers be able to operate standalone. Because of this I've been Googling around looking for a methodology to allow multiple certificate authorities in puppet. Currently we have our grand master puppet server in one Data Center and we have several Puppet Masters in other data centers in geographically diverse areas. When a new client is added with our current setup that new client has to reach out and get it certificate signed by The Grandmaster. This is getting us through setting up puppet currently but long-term this is undesirable. Can anybody point me to a methodology for setting up multiple certificate authorities that actually works? Looks like the pages on the topic I have read so far are outdated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ Recognised by the most prestigious business and technology awards 2016 Best Trading & Execution, HFM US Technology Awards 2016, 2015, 2014, 2013 Best FX Trading Venue - ECN/MTF, WSL Institutional Trading Awards 2015 Winner, Deloitte UK Technology Fast 50 2015, 2014, 2013, One of the UK's fastest growing technology firms, The Sunday Times Tech Track 100 2015 Winner, Deloitte EMEA Technology Fast 500 2015, 2014, 2013 Best Margin Sector Platform, Profit & Loss Readers' Choice Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the following terms (http://lmax.com/pdf/general-disclaimers.pdf), if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1922579621.5282646.1465397459713.JavaMail.zimbra%40lmax.com. For more options, visit https://groups.google.com/d/optout.
