Serial numbers on SSL certificates are important, and your setup will generate many duplicate serial numbers. Ergo, this is bad.
Related problem: Did you test revoking a client certificate? I
suspect not, because the above issue will bite you.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6dcd4a20-909c-4373-892f-0f7a3e69d19d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hello
I've run multiple puppet masters behind ha proxy for a few years now. I have multiple masters, with haproxy rules directing some clients to particular masters. I only have one puppet master as CA. I've about 600 clients.
Initially I was concerned about only having one CA. But all it does is sign new clients and revoke old. Haproxy trusts the clients based on this CA and a revoke list from the CA.
If the CA went down all existing clients would are fine, I've tested that. I can't sign new clients or revoke existing until I recover the CA but in my environment that's no big deal. I have backups of the CA and a new one would not take long to spin up.
So I wonder why you want multiple CA. What benefits would it bring?
Happy to share example haproxy config etc if you are interested.
Cheers,
Neil
Serial numbers on SSL certificates are important, and your setup will generate many duplicate serial numbers. Ergo, this is bad.
Related problem: Did you test revoking a client certificate? I suspect not, because the above issue will bite you.
On 2016-09-12 12:48 AM, Ivan Arjune wrote:
Did i figure out something new here, because I've been digging at this for a week and don't see anyone doing it like this.--
What i'm doing is running multiple puppetmasters behind haproxy. Each puppetmaster is an active ca server and share a common certificate. It works like a charm, in a lab.
Step 1. created a common certificate that all the puppetservers will share.
Step 2. point webserver.conf to the shared certs.
Not a step 3. hit the masters through haproxy
I posted this up on ask.puppet.com a few days ago and nobody seems interest in it. Either it's a stale forum, which i believe is true, or they think i'm crazy. Maybe you do to, ugg....
Here is the orig. post with details on the setup.
Puppet CA Shared Certificate Guide: Scalable Puppet?
I'm looking to put this into production on an infra. with around 200 nodes. I think it's a good idea, but can't figure out why I don't see anyone doing it like this yet.
Million dollar question:
Why must i use a centralized the ca server?
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6dcd4a20-909c-4373-892f-0f7a3e69d19d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c5dbbb59-4de7-720f-3424-3135db424522%40alter3d.ca.
On 17 September 2016 at 15:06, Neil - Puppet List
>> email to puppet-users+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/6dcd4a20-909c-4373-892f-0f7a3e69d19d%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/c5dbbb59-4de7-720f-3424-3135db424522%40alter3d.ca.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAAohVBfGJx14uUqocAXPw7oJvBdVsenQhE4rjDSNCXCwjM94Vg%40mail.gmail.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
Gareth Rushgrove
@garethr
devopsweekly.com
morethanseven.net
garethrushgrove.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFi_6yLdmbE9QZ2%2BZ-OpuFGyt-mNRF5n2NuQ21SFiNTyTEbA0g%40mail.gmail.com.
HelloOne extra thing to mention is I have got into issues with configuring the loadbal itself through puppet, as broken loadbal config breaks the puppet service which means the loadbal can;t be fixed via puppet, so admin login is required on these servers.ThanksNeil
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAohVBfC-E%2BXp5_td2j0n9EW4rcKPcx47kxYJ4tT8sjpN%3DSBkw%40mail.gmail.com.
Hello Trevor,
I put this in when we did a fairly big puppet upgrade. This meant I could direct a few clients to the upgraded server upgrade the agents see how that went then do all dev service before moving others.
I guess we could have done that in a number of other ways but this worked well for me and I like not configuring the clients differently, by changing their server setting, as I did the upgrade
In a similar manner I've used it to experient with different node classifiers not something I think DNS records would allow.
Before I used environments I used it for other changes like upgrading modules such as puppet labs Apache by having the newer version only on one puppet server and directing some clients there.
So in general the benefit is when you do not want the same puppet version or code on all puppet servers.
Overhead of running a pair of tiny vms for the loadbal is tiny for me as we run a dozen or so other loadbal pairs.
Neil
Hi Neil,Thanks for sharing that config, it's quite useful.Did you see any large benefit of this versus using DNS SRV records (yes, I understand the actual load balancing implications).I'm curious if the extra infrastructure was worth the effort.I'm partial to a fan-out DNS SRV structure, but that doesn't really help with load unless your servers are active rejecting above a given connection load.Thanks,Trevor
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoX3jnRD6O%2BNUKNyrmiN9vMeQNt986oeV6DqRCxGoS9uNA%40mail.gmail.com.