On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: > > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use all > those nice features that make a Puppet installation complete: specially > hiera searches and PuppetDB. Modules, too, should be compatible with other > clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have > just checked myself if autosign works if the same node was already > registered in the CA... but according to the documentation it does not look > like it, not to mention the security issues that come with it. > > Does the certificate name need to match the fqdn for puppet to allow > connections? > >
I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to *identify* it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
