Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud Foreman for adding it as functionality though in their own code. For our situation, we ended up writing our own CGI script on the Puppet CA servers as well as a client-side script that runs periodically on the clients to verify whether or not their cert is still valid. When their cert gets close-to-expiring, it checks in with the CGI script and supplies the original CSR that the host used for its first cert request to puppet. Our CGI script then has permissions to run some openssl commands, and generates a whole new cert for the client and passes it back. This all happens over SSL of course, and is only allowed for clients that still have a valid certificate anyways. Its not pretty, but its how we solved the problem... and its worked so far. We have ~600 hosts and they each get a new cert every 25 days.
Ideally there would be this functionality built into puppet... when a client checked in, the server would check if the cert is within X days of expiring. If it is, it would generate a new cert and pass it back to the client automatically. Of course this would be an 'option', but it seems like an obvious feature addition. I looked and could not find an actual bug report requesting this functionality explicitly, so I opened one: http://projects.puppetlabs.com/issues/7272 On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > > On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > OK, just had to post this! I found a solution to my issues that may > help others. > > http://glarizza.posterous.com/managing-puppet-ssl-certificates > > fyi - as the original author of that script... the same functionality exists > within foreman. > > Ohad > > > Basically a CGI script located on you CA Server. You can pass the > hostname/certname that you want to clean via http to the script and > have it clean it off the CA Server. More details in the link above. > This is working great for me and I'll be using it until similar > functionality is included by default in puppet. > > Regards, > Jake > > On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > > Nevermind, looks like its in 2.7.0rc1 > > > > http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... > > cb01221 (#3360) Add an allow_duplicate_certs option > > > > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote: > > > > > > > > > > > > > > > > > Thanks for the reply. I'm just starting to understand puppet, so I > > > would like not to mess with that ... yet. It does look very > > > interesting though, so thanks for bringing that up. > > > > > Derek, > > > > > Thanks for the bug. That looks like it includes some things that I > > > would like ... like the allow duplicate cert and whatnot. It looks > > > like its status closed as of 14 hours ago. Does that mean it is in > > > some release of puppet now, or just that code it ready to eventually > > > be implemented? I'd like to start trying it out right away as my > > > 'solution' doesn't seem to work well with dashboard. > > > > > Thanks, > > >Jake > > > > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote: > > > > > > On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote: > > > > > > > Also, what is foreman and how could it help. Not familiar with that > > > > > product. > > > > > > Foreman takes care for the entire process, things like provisioning, > > > > class > > > > assignments and reportings are all done though it (and many many other > > > > features). > > > > > > see http://theforeman.orgformoredetails. > > > > > > Ohad > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
