Re: [Puppet Users] Certificate Annoyance: Time Differential
A suggestion based on how I deal with this : I use Cobbler to load the operating system and do basic configurations. Then I hand off to Puppet. One thing I do with Cobbler is the initial setting of the system clock using ntpdate or ntpd -q Hope this helps -Original Message- From: Derek J. Balling To: puppet-users Sent: 2012-02-27 10:59:12 + Subject: [Puppet Users] Certificate Annoyance: Time Differential We recently had a situation where servers weren't able to use their auto-sign'ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn't yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it'd be a useful feature. D -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Certificate Annoyance: Time Differential
Well, we do it with kickstart and -- typically -- do the same thing. But for some reason it wasn't able to reach the NTP server during kickstart and it was never able to sync the clock before things really got rolling. And it just occurred to me that since, ostensibly, puppet could be in charge of making sure the NTP services were installed in the first place, that it would make a lot of sense to have this as a feature/option in puppet, to ignore the time-deltas for SSL certs. D On Feb 27, 2012, at 6:40 AM, y...@comcast.net y...@comcast.net wrote: A suggestion based on how I deal with this : I use Cobbler to load the operating system and do basic configurations. Then I hand off to Puppet. One thing I do with Cobbler is the initial setting of the system clock using ntpdate or ntpd -q Hope this helps -Original Message- From: Derek J. Balling To: puppet-users Sent: 2012-02-27 10:59:12 + Subject: [Puppet Users] Certificate Annoyance: Time Differential We recently had a situation where servers weren't able to use their auto-sign'ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn't yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it'd be a useful feature. D -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Certificate Annoyance: Time Differential
My solution was to run ntpdate before I ran the puppet join. Since all my client machines are ubuntu, I know it's pre-installed. After that, puppet installs the ntp service. My join command looks something like: `apt-get install puppet -y ntpdate pool.ntp.org puppet agent --server puppet.company.com` -Jon On Mon, Feb 27, 2012 at 02:58, Derek J. Balling dr...@megacity.org wrote: We recently had a situation where servers weren't able to use their auto-sign'ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn't yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it'd be a useful feature. D -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai http://twitter.com/shakataganai -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
