Out of curiosity, if you're going to do this, why not just set the TTL to 100y and be done with it?
Doesn't help old systems, but certainly fixes new ones without the need for constant re-signing. Trevor On Thu, Apr 28, 2011 at 10:30 AM, Matt Wise <w...@wiredgeek.net> wrote: > Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud > Foreman for adding it as functionality though in their own code. For our > situation, we ended up writing our own CGI script on the Puppet CA servers > as well as a client-side script that runs periodically on the clients to > verify whether or not their cert is still valid. When their cert gets > close-to-expiring, it checks in with the CGI script and supplies the > original CSR that the host used for its first cert request to puppet. Our > CGI script then has permissions to run some openssl commands, and generates > a whole new cert for the client and passes it back. This all happens over > SSL of course, and is only allowed for clients that still have a valid > certificate anyways. Its not pretty, but its how we solved the problem... > and its worked so far. We have ~600 hosts and they each get a new cert every > 25 days. > Ideally there would be this functionality built into puppet... when a client > checked in, the server would check if the cert is within X days of expiring. > If it is, it would generate a new cert and pass it back to the client > automatically. Of course this would be an 'option', but it seems like an > obvious feature addition. > I looked and could not find an actual bug report requesting this > functionality explicitly, so I opened one: > http://projects.puppetlabs.com/issues/7272 > > On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > > On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <jacob.m.mcc...@usps.gov> > wrote: >> >> OK, just had to post this! I found a solution to my issues that may >> help others. >> >> http://glarizza.posterous.com/managing-puppet-ssl-certificates > > fyi - as the original author of that script... the same functionality exists > within foreman. > Ohad >> >> Basically a CGI script located on you CA Server. You can pass the >> hostname/certname that you want to clean via http to the script and >> have it clean it off the CA Server. More details in the link above. >> This is working great for me and I'll be using it until similar >> functionality is included by default in puppet. >> >> Regards, >> Jake >> >> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: >> > Nevermind, looks like its in 2.7.0rc1 >> > >> > http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... >> > cb01221 (#3360) Add an allow_duplicate_certs option >> > >> > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote: >> > >> > >> > >> > >> > >> > >> > >> > > Thanks for the reply. I'm just starting to understand puppet, so I >> > > would like not to mess with that ... yet. It does look very >> > > interesting though, so thanks for bringing that up. >> > >> > > Derek, >> > >> > > Thanks for the bug. That looks like it includes some things that I >> > > would like ... like the allow duplicate cert and whatnot. It looks >> > > like its status closed as of 14 hours ago. Does that mean it is in >> > > some release of puppet now, or just that code it ready to eventually >> > > be implemented? I'd like to start trying it out right away as my >> > > 'solution' doesn't seem to work well with dashboard. >> > >> > > Thanks, >> > >Jake >> > >> > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote: >> > >> > > > On Thu, Apr 14, 2011 at 4:31 >> > > > PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote: >> > >> > > > > Also, what is foreman and how could it help. Not familiar with >> > > > > that >> > > > > product. >> > >> > > > Foreman takes care for the entire process, things like provisioning, >> > > > class >> > > > assignments and reportings are all done though it (and many many >> > > > other >> > > > features). >> > >> > > > see http://theforeman.orgformoredetails. >> > >> > > > Ohad >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
