On Friday, February 8, 2013 11:58:22 PM UTC, Nick Fagerlund wrote: > If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it's good to go. > * Master didn't give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there's one there, it bails and waits, assuming it's waiting for > the master to sign that thing. > * Okay, there's nothing there, but maybe I developed amnesia. Better ask > the master if I've asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it's already asked, it will just bail and say "I'm > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask > for one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it'll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don't have a > cert" and gets to work on the second step above. >
Nick that's a pretty awesome explanation of the handshake and corresponding REST calls. Is that written down anywhere official? Perhaps with corresponding Puppet Master / Agent log entries? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
