On Fri, May 01, 2009 at 02:27:56PM -0400, Michael DeHaan wrote: > Christian Horn wrote: > > On Fri, May 01, 2009 at 08:15:16PM +0200, Fabien Dupont wrote: > > > >> As far as the Puppet instance is on the > >> same server it wouldn't be difficult to call puppetca and we could think of > >> downloading certificates from Cobbler SVC during installation time through > >> a > >> snippet. > >> > > > > I wouldnt want the cert including the needed private key beeing trans- > > ferred over the net in the clear. > > Letting cobbler doing the signing of the cert (with accompanying > > private key beeing only on the newly deployed box) sounds fine thou. > > > > A bit better than autosigning since cobbler will only sign the > > certs of cobbler-deployed boxen and not some rogue new box on the > > network. > > If I understand this correctly, this would be something like having > cobblerd periodically check puppetca to see if any hostnames it new > about where in the list? > > I'm not sure this is a good job for cobblerd (we don't even do this for > Func), but it could be done pretty easily as a Cobbler-XMLRPC-API using > script, I think, that you could put on cron.
Just signing could be done by cron or by puppets autosigning. Just heard a nice speech yesterday with a nice puppet deployment, but not autosigning since everyone on the net could then set up a box with puppet, have the cert autosigned and fetch maybe data that only puppet-clients should get. The cobbler-server would know the new box was deployed with puppet, so the cert-request could be trusted more than random new certs. Thats the additional use i had in mind reading the post. Christian _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
