On Thursday, March 6, 2014 1:50:43 AM UTC-6, Alexander Fortin wrote: > > On Wednesday, March 5, 2014 7:07:42 PM UTC+1, jcbollinger wrote: >> >> >> >> On Wednesday, March 5, 2014 8:35:40 AM UTC-6, Alexander Fortin wrote: >>> >>> [...] my understanding is >>> that every time we create the catalog, i.e. running >>> >>> puppet master --compile myhost >>> >>> this will also create a SSL cert for myhost. >> >> >> >> I can't say for certain that you're wrong, but I have never heard of that >> certificate-generating behavior. From whence comes your "understanding"? >> > > I noticed because running two 'puppet master --compile' in parallel with > the same host and same vardir path was creating conflicts, anyway these are > the (SSL) files that get created at every run: > > ssl/ca/ca_crt.pem > ssl/ca/ca_crl.pem > ssl/ca/serial > ssl/ca/ca_pub.pem > ssl/ca/ca_key.pem > ssl/ca/inventory.txt > ssl/ca/private/ca.pass > ssl/crl.pem > ssl/certs/ca.pem > >
Do you see the "ca" in most of those? That stands for "certificate authority". The one file that doesn't have it, ssl/crl.pem, is a certificate revocation list, which is also associated with the CA. The Puppet master provides a (as in one) certificate authority for the infrastructure it manages. It will create the needed keys and certificate only if they do not already exist. IMPORTANT: you must not disturb the master's CA. Doing so will make the certificates it has already signed unusable, rendering those agents using them both unwilling AND unable to request catalogs from that master. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f6d68bf6-f6b1-446f-891e-f691de661dd4%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
