On Friday, February 8, 2013 11:58:22 PM UTC, Nick Fagerlund wrote: > If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it's good to go. > * Master didn't give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there's one there, it bails and waits, assuming it's waiting for > the master to sign that thing. > * Okay, there's nothing there, but maybe I developed amnesia. Better ask > the master if I've asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it's already asked, it will just bail and say "I'm > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask > for one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it'll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don't have a > cert" and gets to work on the second step above. >
Nick that's a pretty awesome explanation of the handshake and corresponding REST calls. Is that written down anywhere official? Perhaps with corresponding Puppet Master / Agent log entries? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
