I responded to this last night but don't see my reply still this morning so I'm going to respond again.
I had a question about if the CA and CRL being signed for 5 years is static or also controlled by ca_ttl. If they are 5y regardless/ static, is there some sort of action I need to take when they expire or does puppet take care of them automatically? Just want to make sure whether upping ca_ttl is good enough for me or if there are other things I need to potentially be aware of. Thanks, Jake On May 3, 3:30 pm, Ohad Levy <ohadl...@gmail.com> wrote: > On Tue, May 3, 2011 at 9:29 PM, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > > > Thanks for the response. I found it in the genconf now. Looks like > > default is 5y. I'll be changing it for my needs. > > > note that the CA itself is signed for 5 years too... (and it seems that the > > CRL as well - which is wrong). > > Ohad > > > > > > > > > Thanks! > > Jake > > > On May 3, 12:53 pm, Matt Wise <w...@wiredgeek.net> wrote: > > > the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll > > ultimately need to re-sign the certs for clients when they expire. the > > default is 1 year though, so it[ll be a while. > > > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote: > > > > > Yea, I'm new to puppet ... sounds like now I have to worry about certs > > > > eventually expiring and regenerate/sign them to keep nodes happy? > > > > > Seems Trevor suggests increasing TTL. How can I do this if I wanted > > > > to? > > > > > Thanks, > > > > Jake > > > > > On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net> wrote: > > > >> Unfortunately, this is still a 'missing feature' of Puppet IMO. I > > applaud Foreman for adding it as functionality though in their own code. For > > our situation, we ended up writing our own CGI script on the Puppet CA > > servers as well as a client-side script that runs periodically on the > > clients to verify whether or not their cert is still valid. When their cert > > gets close-to-expiring, it checks in with the CGI script and supplies the > > original CSR that the host used for its first cert request to puppet. Our > > CGI script then has permissions to run some openssl commands, and generates > > a whole new cert for the client and passes it back. This all happens over > > SSL of course, and is only allowed for clients that still have a valid > > certificate anyways. Its not pretty, but its how we solved the problem... > > and its worked so far. We have ~600 hosts and they each get a new cert every > > 25 days. > > > > >> Ideally there would be this functionality built into puppet... when a > > client checked in, the server would check if the cert is within X days of > > expiring. If it is, it would generate a new cert and pass it back to the > > client automatically. Of course this would be an 'option', but it seems like > > an obvious feature addition. > > > > >> I looked and could not find an actual bug report requesting this > > functionality explicitly, so I opened one: > > > > >>http://projects.puppetlabs.com/issues/7272 > > > > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > > > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS < > > jacob.m.mcc...@usps.gov> wrote: > > > >>> OK, just had to post this! I found a solution to my issues that may > > > >>> help others. > > > > >>>http://glarizza.posterous.com/managing-puppet-ssl-certificates > > > > >>> fyi - as the original author of that script... the same functionality > > exists within foreman. > > > > >>> Ohad > > > > >>> Basically a CGI script located on you CA Server. You can pass the > > > >>> hostname/certname that you want to clean via http to the script and > > > >>> have it clean it off the CA Server. More details in the link above. > > > >>> This is working great for me and I'll be using it until similar > > > >>> functionality is included by default in puppet. > > > > >>> Regards, > > > >>> Jake > > > > >>> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > > > >>>> Nevermind, looks like its in 2.7.0rc1 > > >http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... > > > >>>> cb01221 (#3360) Add an allow_duplicate_certs option > > > > >>>> On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote: > > > > >>>>> Thanks for the reply. I'm just starting to understand puppet, so I > > > >>>>> would like not to mess with that ... yet. It does look very > > > >>>>> interesting though, so thanks for bringing that up. > > > > >>>>> Derek, > > > > >>>>> Thanks for the bug. That looks like it includes some things that I > > > >>>>> would like ... like the allow duplicate cert and whatnot. It looks > > > >>>>> like its status closed as of 14 hours ago. Does that mean it is in > > > >>>>> some release of puppet now, or just that code it ready to > > eventually > > > >>>>> be implemented? I'd like to start trying it out right away as my > > > >>>>> 'solution' doesn't seem to work well with dashboard. > > > > >>>>> Thanks, > > > >>>>> Jake > > > > >>>>> On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote: > > > > >>>>>> On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPS<jacob.m.mcc...@usps.gov > > >wrote: > > > > >>>>>>> Also, what is foreman and how could it help. Not familiar with > > that > > > >>>>>>> product. > > > > >>>>>> Foreman takes care for the entire process, things like > > provisioning, class > > > >>>>>> assignments and reportings are all done though it (and many many > > other > > > >>>>>> features). > > > > >>>>>> see http://theforeman.orgformoredetails. > > > > >>>>>> Ohad > > > > >>> -- > > > >>> You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > > >>> To post to this group, send email to puppet-users@googlegroups.com. > > > >>> To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > > >>> For more options, visit this group athttp:// > > groups.google.com/group/puppet-users?hl=en. > > > > >>> -- > > > >>> You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > > >>> To post to this group, send email to puppet-users@googlegroups.com. > > > >>> To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > > >>> For more options, visit this group athttp:// > > groups.google.com/group/puppet-users?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > > > To post to this group, send email to puppet-users@googlegroups.com. > > > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > > > For more options, visit this group athttp:// > > groups.google.com/group/puppet-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.