On Wednesday, February 20, 2013 12:58:44 PM UTC, Felix.Frank wrote: > > On 02/20/2013 01:28 PM, spankt...@gmail.com <javascript:> wrote: > > And what would be the purpose of that? That still includes using puppet > > to create CA, and I want to avoid that completely. > > Ah, right. I forgot step 5. Which is replacing the CA with one created > using openssl. Of course, all other certs are obsolete after you do > that, so you can use your shiny new process of certifying agents to make > them new ones. >
Great, except I tried that and failed, therefore this thread ;) I was hoping someone was doing something like that already and know if its possible, and if it is, how to do it properly. > > > 1. Puppetmaster's vm's are being booted. No CA nor cert actions taken. > > > > 2. User goes to web app, click's 'generate CA' - CA gets generated. > > A simpler alternative might be: > 1a. User creates puppetmaster vm for a new pool, that bootstraps itself > with a CA certificate > 1b. User adds a puppetmaster vm to an existing pool, by cloning another VM > > That way, you need not even implement a frontend for generating CAs on > the fly. > That's an interesting and tempting perspective, although I have two issues with it: a) it would require user to know what is he doing with puppet ca/certs, and one of the purposes of the web app is to make user's life, and entire process as easy as possible b) I would lost control over how many nodes user could add using that CA, something that would have been applied in the application logic -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
