On Tuesday, May 27, 2014 6:23:41 AM UTC-5, Hugh Cole-Baker wrote: > > > Am I missing a configuration option in the manual to somehow disable SSL >> certificate validation? Does everybody add a cron job to their puppet >> master to stop the puppetmaster daemon and blow away its SSL directory then >> restart it at exactly 12:00AM every day, and the same on the instances at >> exactly 12:02AM every day? Or are we the only people on the planet who >> actually use Amazon's auto-scaling feature *plus* use Puppet at the same >> time? Curious penguins are... curious! >> > > We have enabled the Amazon SNS notifications from Autoscaling, and > subscribed a SQS queue to the SNS topic. We have a written a small daemon, > which runs on the puppet master and consumes from that queue, and calls > "puppet cert clean" when it receives messages about instances being > terminated by autoscaling. > >
+1 That, or something like it, is exactly what you ought to do, even before considering the possibility of hostname reuse. In any Puppet environment, you should clean out the certificates of nodes that have been decommissioned. And decommissioning is exactly what the auto-scaledown is doing: even if another node is later commissioned with the same hostname, it is a different node. As another possible alternative, if EC2 nodes have a genuinely unique identifier (an Amazon-assigned UUID, for instance) then you can configure your clients to use that as their certificate names, instead of their hostname. (But you still might want to set up automatic certificate cleaning to avoid Puppet's certificate stash growing out of control.) > We also have it listen for instance launch messages and add their > certnames into /etc/puppet/autosign.conf and call "puppet cert sign" on > them, which is also useful for security (you don't have to turn on auto > signing for everything that way). > Nice. There are other alternatives, but I haven't thought of any better ones. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a3330f2c-2e86-43d4-b2b7-923c9f971dc5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
