Here is one idea I've had and tested ... but it has some obvious drawbacks which I'll detail ... still wondering if there are others.
On the ca_server I did: puppetca --generate client I then copied the following generated files: ssl/private_keys/client.pem (certA) ssl/ca/signed/client.pem (certB) and packaged them into my puppet client RPM to be deployed on puppet agents at the following paths: ssl/private_keys/client.pem (certA) ssl/certs/client.pem (certB) Then on the puppet agent I editted puppet.conf with: [agent] certname = client node_name = facter certname tells the system what 'hostname' to use for the cert. By default node_name uses the certname to describe the node, so I changed that to facter. This seems to be working as far as being able to communicate with the puppet server and pull configs. The only problem I'm having is with puppet-dashboard, that groups reports based on certname it seems instead of hostname/fqdn ... so the couple of hosts I have with the same cert do not have separate nodes in the puppet-dashboard. :( I was hoping the node_name entry would take care of that, but it didn't. Any thoughts on this approach, maybe even how to get dashboard to work with this method? Or is this a horrible idea? Also, what is foreman and how could it help. Not familiar with that product. Thanks, Jake On Apr 13, 3:46 pm, Ohad Levy <ohadl...@gmail.com> wrote: > On Fri, Mar 11, 2011 at 10:38 AM, Patrick < > > > > > > > > > > patr...@googlealtert.spamtrap.fht-esslingen.de> wrote: > > > On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com> wrote: > > > Alternately, running the puppetca clean before starting the new client > > will > > > result in the standard unsigned behavior. > > > Maybe, but it would be nice to save this extra afford. In our case, > > we do not want the security features of puppet. > > > > (I do think its pretty broken that trying once with the wrong cert > > poisons > > > the client - if it is an attack, they can just wipe the client cert > > again, > > > and if it isn't - eg in your case - then it breaks..) > > > We know, but we are using build servers in a trusted network.. The > > buildservers are often reinstalled and we do not want to manage the > > certificates. > > You can use a tool like foreman which automates this whole process. > > Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
