Yeah, we’ve been doing active/passive but it really hasn’t been working with our volume, so we’re looking at other options

which part didnt work?

We have users that flex up thousands of instances, and decom thousands of instances within a very short time frame. Managing the creation/signing and deletion of the certs has led to bottlenecks with the single CA (we don’t run puppetDB atm). So we’re looking at any possible way to mitigate that. The first step was discontinuing the CRL stuff

maybe switch to a different CA?

We were looking into that, too, but puppetlabs recommended against the idea (IIRC). Have you used a different CA that has worked?

We’re open to anything, tbh, lol

I looked into vault a long time ago, that worked fine. but I didnt do any performance benchmarks

I am wondering if you can do multiple puppet CAs with a shared root CA and indovidula intermediate CA

that should work

Would there be any issue with cert serial numbers or anything?

/etc/puppetlabs/puppet/ssl/ca/serial

In past we tried not to care about certs. Every puppetserver was a CA with a shared root ca. For some security the backend did a opsdb check around hostname/IP. That said not sure if pounding on AWS API is a good idea. Maybe new instances post to SQS and the puppetserver that gets the requests pops it off as a simple verification step. I've used a similar solution to manage decoms.

@davidpinaz I think each intermediate CA creates has their own serial. so if th3 intermediate CA is shared across multiple puppetCAs, you need some global locking to not kill the file

but when the intermediate CA isnt shared it should be fine. at least worth a test

I’m not sure the intermediate would be shared, necessarily, but, each CA would be behind a LB, so an agent would be able to connect to any of the CA’s

I think that should be fine/has to work. you can tell puppetserver to only verify the first level of the agent cert chain, so it doesnt care which intermediate signed it

(at least I think so)

sweet!!! Thanks everyone!

what is the difference between

Struct[{Optional[field] => String}]

and

Struct[{field => Optional[String]}]

?

Both allow

field

to be missing. But the latter allow’s `field`’s value to be literally

undef

$ puppet module install --target-dir . puppet-grafana --version 11.0.0
Notice: Preparing to install into /etc/puppetlabs/code/environments/jdratlif/modules ...
Notice: Downloading from <https://forgeapi.puppet.com> ...
Error: Could not install module 'puppet-grafana' (v11.0.0)
  The requested version cannot satisfy one or more of the following installed modules:
    puppetlabs-stdlib, installed: 7.1.0, expected: >= 4.20.0 < 9.0.0

  Use `puppet module install 'puppet-grafana' --ignore-dependencies` to install only this module

Is there a reason puppet module install thinks the version of stdlib it found doesn't satisfy that version range. It sure seems like it does. I had the same problem when installing the puppetlabs-apache module, but it worked fine when I used ignore-dependencies.

$ puppet module install --target-dir . puppet-grafana --version 11.0.0
Notice: Preparing to install into /etc/puppetlabs/code/environments/jdratlif/modules ...
Notice: Downloading from <https://forgeapi.puppet.com> ...
Error: Could not install module 'puppet-grafana' (v11.0.0)
  The requested version cannot satisfy one or more of the following installed modules:
    puppetlabs-stdlib, installed: 7.1.0, expected: >= 4.20.0 < 9.0.0

  Use `puppet module install 'puppet-grafana' --ignore-dependencies` to install only this module

Is there a reason puppet module install thinks the version of stdlib it found doesn't satisfy that version range. It sure seems like it does. I had the same problem when installing the puppetlabs-apache module, but it worked fine when I used ignore-dependencies.

usually people use r10k to deploy modules and just ignore the whole version range

@davidpinaz @bastelfreak I know one of the PE customers uses https://github.com/fervidus/puppet_ca_utils to setup mutual trust between CAs and that allows them to switch agents between multiple Server/CA setups.

@davidpinaz @bastelfreak I know one of the PE customers uses https://github.com/fervidus/puppet_ca_utils to setup mutual trust between CAs and that allows them to switch agents between multiple Server setups.

most likely some other existing module require higher version of stdlib.

@davidpinaz @bastelfreak I know one of the PE customers uses https://github.com/fervidus/puppet_ca_utils to setup mutual trust between CAs and that allows them to switch agents between multiple Server/CA setups.

@David Sandilands oh nice

This message was deleted.

l would like to add the apache site conf on one of the server but the manifest file is created in such a way that if i add anything it would get added to all the servers pointing to it. I created the conf file in ..///modules/roles/files/mule/mule01/xyz.conf.......and the apache config is managed via the apache module (apache::vhost) in roles_am::muleserver........this is how one of the looks like apache::vhost { "${fqdn}-ssl": ensure => present, port => 443,

l would like to add the apache site conf on one of the server but the manifest file is created in such a way that if i add anything it would get added to all the servers pointing to it. I created the conf file in ..///modules/roles/files/mule/mule01/xyz.conf.......and the apache config is managed via the apache module (apache::vhost) in roles_am::muleserver........this is how one of the looks like apache::vhost { "${fqdn}-ssl": ensure => present, port => 443,