Yea, I'm new to puppet ... sounds like now I have to worry about certs eventually expiring and regenerate/sign them to keep nodes happy?
Seems Trevor suggests increasing TTL. How can I do this if I wanted to? Thanks, Jake On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net> wrote: > Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud > Foreman for adding it as functionality though in their own code. For our > situation, we ended up writing our own CGI script on the Puppet CA servers as > well as a client-side script that runs periodically on the clients to verify > whether or not their cert is still valid. When their cert gets > close-to-expiring, it checks in with the CGI script and supplies the original > CSR that the host used for its first cert request to puppet. Our CGI script > then has permissions to run some openssl commands, and generates a whole new > cert for the client and passes it back. This all happens over SSL of course, > and is only allowed for clients that still have a valid certificate anyways. > Its not pretty, but its how we solved the problem... and its worked so far. > We have ~600 hosts and they each get a new cert every 25 days. > > Ideally there would be this functionality built into puppet... when a client > checked in, the server would check if the cert is within X days of expiring. > If it is, it would generate a new cert and pass it back to the client > automatically. Of course this would be an 'option', but it seems like an > obvious feature addition. > > I looked and could not find an actual bug report requesting this > functionality explicitly, so I opened one: > > http://projects.puppetlabs.com/issues/7272 > > On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > > > > > > > > > > On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <jacob.m.mcc...@usps.gov> > > wrote: > > OK, just had to post this! I found a solution to my issues that may > > help others. > > >http://glarizza.posterous.com/managing-puppet-ssl-certificates > > > fyi - as the original author of that script... the same functionality > > exists within foreman. > > > Ohad > > > Basically a CGI script located on you CA Server. You can pass the > > hostname/certname that you want to clean via http to the script and > > have it clean it off the CA Server. More details in the link above. > > This is working great for me and I'll be using it until similar > > functionality is included by default in puppet. > > > Regards, > > Jake > > > On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > > > Nevermind, looks like its in 2.7.0rc1 > > > >http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... > > > cb01221 (#3360) Add an allow_duplicate_certs option > > > > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote: > > > > > Thanks for the reply. I'm just starting to understand puppet, so I > > > > would like not to mess with that ... yet. It does look very > > > > interesting though, so thanks for bringing that up. > > > > > Derek, > > > > > Thanks for the bug. That looks like it includes some things that I > > > > would like ... like the allow duplicate cert and whatnot. It looks > > > > like its status closed as of 14 hours ago. Does that mean it is in > > > > some release of puppet now, or just that code it ready to eventually > > > > be implemented? I'd like to start trying it out right away as my > > > > 'solution' doesn't seem to work well with dashboard. > > > > > Thanks, > > > >Jake > > > > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote: > > > > > > On Thu, Apr 14, 2011 at 4:31 > > > > > PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote: > > > > > > > Also, what is foreman and how could it help. Not familiar with that > > > > > > product. > > > > > > Foreman takes care for the entire process, things like provisioning, > > > > > class > > > > > assignments and reportings are all done though it (and many many other > > > > > features). > > > > > > see http://theforeman.orgformoredetails. > > > > > > Ohad > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
