Neil, I agree one CA is more than capable and the load balancing point here is pretty much moot. I as well will have many nodes dispersed world wide within DC's and with Hosting providers, like AWS and DO. Having a flexible and simple setup which can operate independent of other sites is a requirement. We will be building and tearing down nodes frequently so having zero downtime with the provisioning and CM services is also a requirement here. Aside from the simple puppetserver / ca config the haproxy setup i'm running is very straight forward. With the shared certificate I can call all masters with the same name and the puppet web server points to the correct cert.
I honestly haven't encountered the problem everyone says exists with active/active CA's. A CA's job is to sign new certificates. When a node is toredown the cert will be wiped at all CA's so in the event the hostname is reused there shouldn't be a problem. Where does the problem arise with serial number conflicts? How can i reproduce this issue? Also is the traffic from your haproxy to the masters not using ssl? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/61ca8d08-fe4c-4345-aa41-6875612227ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
