Thanks Pete, but unfortunately that wont work. The nodes are out of my control, and all I can do is to provide their owners client certs via web gui. In addition to that, I would need multiple CA's, as the clients (and puppetmasters) would be destinated for different owners, and they shouldnt share the CA.
On Wednesday, February 20, 2013 2:15:33 AM UTC, Pete wrote: > > You might have better luck using something like FreeIPA and using it's ca > cert and setting up certs for each node and using those as the puppet certs. > > This may help. > http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ > > I had a go at setting it up but I am using FreeIPA 3 and the steps need > some changing for that so your mileage may vary. > > > On 20 February 2013 06:15, <spankt...@gmail.com <javascript:>> wrote: > >> Dear Felix, >> >> I think you're getting it wrong, let me clarify it a bit. The goal of >> this is to be able to write web interface for generating puppetmasters CA's >> and client certificates on demand. An example: install 3 puppetmasters with >> loadbalancer in front. Use web interface to generate CA and certificates >> for chosen clients (lets say, 10 machines). Deploy such generated CA's on >> puppetmasters, and relevant bits on puppet clients to authorize them >> against these puppetmasters. Whenever there's need for change, use that CA >> via web interface to add and delete client certificates, redeploy them on >> puppetmasters and so on. This, while doable via Subprocess functions >> (Python is the language of choice for me, but that doesnt really matters) >> and calls to relevant puppet system commands is extremely ugly and not >> flexible solution. I would love to do it via openssl library, but to do so, >> I'd need to have a workable way to build CA's and sign (and revoke) client >> certs via openssl command - so far I cant reach that goal. I hope this >> makes more sense now. >> >> Regards, >> S. >> >> On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: >> >>> On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: >>> > after creating CA and client cert and applying them to puppetmaster, >>> it >>> > complains with: >>> >>> Wait, what? You create a new CA, even after agents have already been >>> certified, then create new agent certificates? >>> >>> If your CA changes, you will have to terminate all the (now deprecated) >>> agent certificates and sign new certificates for all agents. >>> >>> Basically, I would expect the outcome you are observing, and you should >>> just follow the instructions given in your log excerpt. Note that you >>> are *not* supposed to remove the CA from the master, only the copy of >>> the agent's certificate. >>> >>> HTH, >>> Felix >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
