Dear Felix, On Wednesday, February 20, 2013 10:51:50 AM UTC, Felix.Frank wrote: > > On 02/20/2013 11:37 AM, spankt...@gmail.com <javascript:> wrote: > > Incorrect. You *do* want to create new CA's. What about different > > puppetmasters pools? Imagine you and me, we both want a puppetmasters > > setup with LB's in front of them, for our own machines, and we'd rather > > want to have different CA's for our puppetmasters. > > Well, so you'd want *your* agents to receive catalogs from *my* puppet > masters? >
No, absolutely not. I need a piece of web based software that would allow you and me generate our own CA's for out own, separate puppetmaster clusters and client certs signed using these CA's. Your CA would be for your puppetmasters and clients only, mine would be for mines. And someone elses would be for him exclusively. The only thing common between your, mine and everyone's else CA's and certs would be the fact they were created and provided by that software. > > That's a whole different problem altogether. Each agent node will need > to run several agents, each with their own view of what the CA and the > master certificate is. They could share the agent's private key, but > that would actually add complexity. > > Basically, you probably want separate /var/lib/puppet instances on the > agents for each "master pool". > > > it can be via rsync > > Oh, please don't. > If the rsync uses SSH for communication, what's wrong with it? And beside, this was only an example, the CA's and certs could be stored in DB, could be encrypted with PGP, possibilities are endless. > > > monolithic CA server is out of question, as it becomes a spof. > > Not really, the ca service should not see much use during day-to-day > operation, but again, I may be wrong about this. > Regardless of how much use it has, it is a spof. Once it's down, whole cluster malfunctiones. With monolithic CA server down, all clusters are malfunctioning. > > > Incorrect, the problem is to emulate puppet ca/cert behavior using > > openssl command (and then by openssl lib). > > Ah, only you aren't. The puppet ca service works under the premise that > the client simply generates a CSR for itself and forwards that to the > puppet ca service. > > Have you had any success signing the certificate using openssl, when the > CSR originates with the agent (so, as a start, you do step 2 your way?) > Once you have that working, all that's left to do is doing the CSR > generation using openssl, which shouldn't be that hard, either. What's > hard is not doing it on the agent node. > No, so far I've complete failure. I tried to do it the Mozilla way, from the link included in original post, but it fails and I cant find out why. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
