Re: [Puppet Users] Multiple CA setup.

[Eric Sorenson]

Check out this WIP doc where I describe how to get intermediate certs 
working. It *is* possible but there are a couple of caveats described in 
the doc.

If anyone's motivated to try this out and let me know how it works for you 
I'd be hugely appreciative. I got it to "works for me" level of readiness 
but would like some further validation so we can move it up to being a 
supported configuration with the bugs ironed out:

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

On Wednesday, June 8, 2016 at 9:34:25 AM UTC-7, Salty Old Cowdawg wrote:
>
> @Dan White:  that link was pretty much what I was looking for.  I take it 
> then you have openssl sign certs for each master (grand and remote) and 
> configure Puppet to use those certs. 
>
> The tricky part is going to be installing the new certs in production.  
> Sorta like changing a tire when the car is still moving. 
>
> On Wed, Jun 8, 2016 at 10:57 AM Dan White  wrote:
>
>> Could the regional masters be set up as intermediate certificate 
>> authorities ?
>> I found a link that describes the basics.
>>
>> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
>>
>> Dan White | d_e_wh...@icloud.com
>> 
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> On Jun 08, 2016, at 10:40 AM, Peter Berghold  
>> wrote:
>>
>> In the puppet setup that I have where I work it has been increasingly 
>> more desirable if not required to have each of our data centers be able to 
>> operate standalone. Because of this I've been Googling around looking for a 
>> methodology to allow multiple certificate authorities in puppet. Currently 
>> we have our grand master puppet server in one Data Center and we have 
>> several Puppet Masters in other data centers in geographically diverse 
>> areas. When a new client is added with our current setup that new client 
>> has to reach out and get it certificate signed by The Grandmaster. This is 
>> getting us through setting up puppet currently but long-term this is 
>> undesirable.
>>
>> Can anybody point me to a methodology for setting up multiple certificate 
>> authorities that actually works? Looks like the pages on the topic I have 
>> read so far are outdated.
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aebdd4da-b782-4a9f-9d6f-b8902d8359a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple CA setup.

[Peter Berghold]

@Dan White:  that link was pretty much what I was looking for.  I take it
then you have openssl sign certs for each master (grand and remote) and
configure Puppet to use those certs.

The tricky part is going to be installing the new certs in production.
Sorta like changing a tire when the car is still moving.

On Wed, Jun 8, 2016 at 10:57 AM Dan White  wrote:

> Could the regional masters be set up as intermediate certificate
> authorities ?
> I found a link that describes the basics.
>
> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
>
> Dan White | d_e_wh...@icloud.com
> 
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
>
>
> On Jun 08, 2016, at 10:40 AM, Peter Berghold 
> wrote:
>
> In the puppet setup that I have where I work it has been increasingly more
> desirable if not required to have each of our data centers be able to
> operate standalone. Because of this I've been Googling around looking for a
> methodology to allow multiple certificate authorities in puppet. Currently
> we have our grand master puppet server in one Data Center and we have
> several Puppet Masters in other data centers in geographically diverse
> areas. When a new client is added with our current setup that new client
> has to reach out and get it certificate signed by The Grandmaster. This is
> getting us through setting up puppet currently but long-term this is
> undesirable.
>
> Can anybody point me to a methodology for setting up multiple certificate
> authorities that actually works? Looks like the pages on the topic I have
> read so far are outdated.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAArvnv1j8HB4kMBYudN3VOvuFf1S5YXD63Mg4E9A%2BH_YKSf6gg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple CA setup.

[Dan White]

Could the regional masters be set up as intermediate certificate authorities ?
I found a link that describes the basics.
https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

On Jun 08, 2016, at 10:40 AM, Peter Berghold  wrote:

In the puppet setup that I have where I work it has been increasingly more 
desirable if not required to have each of our data centers be able to operate 
standalone. Because of this I've been Googling around looking for a methodology 
to allow multiple certificate authorities in puppet. Currently we have our 
grand master puppet server in one Data Center and we have several Puppet 
Masters in other data centers in geographically diverse areas. When a new 
client is added with our current setup that new client has to reach out and get 
it certificate signed by The Grandmaster. This is getting us through setting up 
puppet currently but long-term this is undesirable.
Can anybody point me to a methodology for setting up multiple certificate 
authorities that actually works? Looks like the pages on the topic I have read 
so far are outdated.

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple CA setup.

[Luke Bigum]

I think the dated docs you are reading are probably it :-)

Running very much on 6 year old memory here, when I tried it last... You create 
a new Puppet CA cert with multiple SANs on it for each of your Puppet Masters' 
hostnames, and distribute that to each Master. The agents can be signed by any 
Puppet Master, and will then be able to speak to any Puppet Master because 
essentially it's the same CA (in multiple places). The issue is if you make use 
of the certificate revocation list to deny agents - because each CA could 
potentially issue the same serial number, this is not going to work. If you 
don't rely on the revocation list then this is not an issue. All this may have 
changed over the years.

Another way to do it is have a central signer (you can split the CA 
functionality from other parts of the Master in puppet.conf) and then sync the 
signed certs to each Master. That way if your central CA goes down you can't 
build any *new* agents, but your existing nodes will work because the Puppet 
Masters at each DC have a copy of the signed certificates. The revocation list 
works with this approach. That may satisfy your "DCs running independently" 
requirement.

Question: if your DCs are moving to be a stand alone architecture, why do you 
need your Agents to check in to other Masters? Why not just have a CA per DC? 
The obvious down side is if your DC's Puppet Master goes down you can't do any 
Puppet runs in that DC, but if you've got multiple anyway I'll assume your 
Masters are deployed with Puppet themselves, so shouldn't be that hard to 
recover / rebuild?

--
Luke Bigum
Senior Systems Engineer

Information Systems

- Original Message -
From: "Peter Berghold" <salty.cowd...@gmail.com>
To: "puppet-users" <puppet-users@googlegroups.com>
Sent: Wednesday, 8 June, 2016 15:40:19
Subject: [Puppet Users] Multiple CA setup.

In the puppet setup that I have where I work it has been increasingly more
desirable if not required to have each of our data centers be able to
operate standalone. Because of this I've been Googling around looking for a
methodology to allow multiple certificate authorities in puppet. Currently
we have our grand master puppet server in one Data Center and we have
several Puppet Masters in other data centers in geographically diverse
areas. When a new client is added with our current setup that new client
has to reach out and get it certificate signed by The Grandmaster. This is
getting us through setting up puppet currently but long-term this is
undesirable.

Can anybody point me to a methodology for setting up multiple certificate
authorities that actually works? Looks like the pages on the topic I have
read so far are outdated.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
---

LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/

Recognised by the most prestigious business and technology awards
 
2016 Best Trading & Execution, HFM US Technology Awards
2016, 2015, 2014, 2013 Best FX Trading Venue - ECN/MTF, WSL Institutional 
Trading Awards

2015 Winner, Deloitte UK Technology Fast 50
2015, 2014, 2013, One of the UK's fastest growing technology firms, The Sunday 
Times Tech Track 100
2015 Winner, Deloitte EMEA Technology Fast 500
2015, 2014, 2013 Best Margin Sector Platform, Profit & Loss Readers' Choice 
Awards

---

FX and CFDs are leveraged products that can result in losses exceeding your 
deposit. They are not suitable for everyone so please ensure you fully 
understand the risks involved.

This message and its attachments are confidential, may not be disclosed or used 
by any person other than the addressee and are intended only for the named 
recipient(s). This message is not intended for any recipient(s) who based on 
their nationality, place of business, domicile or for any other reason, is/are 
subject to local laws or regulations which prohibit the provision of such 
products and services. This message is subject to the following terms 
(http://lmax.com/pdf/general-disclaimers.pdf), if you cannot access these, 
please notify us by replying to this email and we will send you the terms. If 
you are not the intended recipient, please notify the sender immediately and 
delete any copies of this message.

LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a 
multilateral trading facility. LMAX Limited is authorised and regulated by the 
Financial Conduct Authority (firm registration number 509778) and is a company 
registered in England and Wales

[Puppet Users] Multiple CA setup.

[Peter Berghold]

In the puppet setup that I have where I work it has been increasingly more
desirable if not required to have each of our data centers be able to
operate standalone. Because of this I've been Googling around looking for a
methodology to allow multiple certificate authorities in puppet. Currently
we have our grand master puppet server in one Data Center and we have
several Puppet Masters in other data centers in geographically diverse
areas. When a new client is added with our current setup that new client
has to reach out and get it certificate signed by The Grandmaster. This is
getting us through setting up puppet currently but long-term this is
undesirable.

Can anybody point me to a methodology for setting up multiple certificate
authorities that actually works? Looks like the pages on the topic I have
read so far are outdated.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.