[Puppet Users] Questions for puppet 2.6.8 client certificate management
How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
I could be wrong, as I'm still on 0.25 myself, but I think you want the --waitforcert seconds option. -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Fri, Jun 17, 2011 at 5:49 AM, TJ Yang tjyang2...@gmail.com wrote: How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
Hi, On Jun 17, 2011, at 2:49 PM, TJ Yang wrote: How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose we do that by using a tag which does not exist: puppet agent --test --tags=foo This creates the client certificate and sends it to the master. The master autosigns the certificate request and compiles the catalog. The client will parse for a tag with the name foo and will not do anything. but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start We have created our own puppet rpm package with an individual puppet.conf. Upon post installation we run the command give above. Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. Do you refer to the master or the client? The puppet cert command is used for the master only. On the client we also recursivley delete the puppet ssl dir. Kind regards, Martin -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
puppet agent --test (-t) Zipkid On 17 Jun 2011, at 14:49, TJ Yang wrote: How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
Martin Thanks for the quick reply On Fri, Jun 17, 2011 at 8:47 AM, Martin Alfke tux...@gmail.com wrote: Hi, On Jun 17, 2011, at 2:49 PM, TJ Yang wrote: How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose we do that by using a tag which does not exist: puppet agent --test --tags=foo This creates the client certificate and sends it to the master. The master autosigns the certificate request and compiles the catalog. The client will parse for a tag with the name foo and will not do anything. Thanks for the great tip, I will use this in my postinstall script. I hope tip/hack can be turned into puppet agent --cert_request for future version of puppt. but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start We have created our own puppet rpm package with an individual puppet.conf. Upon post installation we run the command give above. Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. Do you refer to the master or the client? The puppet cert command is used for the master only. On the client we also recursivley delete the puppet ssl dir. I am referring to puppet agent/client. I hope future version can support this certificate reset/cleanup on puppet agent. for now, I will just do rm -rf $ssldir in /etc/init.d/puppetclient268 certclean tj Kind regards, Martin -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
I need to add --server like following, otherwise it will won't finish the run. (I don't have/want puppet entry in my /etc/hosts) puppet agent --server=puppetmaster.test.com --test --tags option is not need in my case. tj On Fri, Jun 17, 2011 at 7:52 AM, Stefan Goethals zipkid@gmail.com wrote: puppet agent --test (-t) Zipkid On 17 Jun 2011, at 14:49, TJ Yang wrote: How do I initiate a certificate request without going into non-daemon mode ? According to Pro Puppet book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running /etc/init.d/puppetagent268 start Is there a command puppet cert --clean puppetagent1.test.com for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
On Fri, Jun 17, 2011 at 7:15 AM, TJ Yang tjyang2...@gmail.com wrote: I am referring to puppet agent/client. I hope future version can support this certificate reset/cleanup on puppet agent. If you really do want agents to be able to clean certificates on the master, you can open up the API Access Control in auth.conf and use curl to script these sorts of API calls. http://docs.puppetlabs.com/guides/rest_api.html#certificate-request -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
On Fri, Jun 17, 2011 at 9:55 AM, Nigel Kersten ni...@puppetlabs.com wrote: On Fri, Jun 17, 2011 at 7:15 AM, TJ Yang tjyang2...@gmail.com wrote: I am referring to puppet agent/client. I hope future version can support this certificate reset/cleanup on puppet agent. If you really do want agents to be able to clean certificates on the master, I was looking for a formal way to remove a puppet agent's certficate,pubilc/private key without running rm -rf $ssldir. you can open up the API Access Control in auth.conf and use curl to script these sorts of API calls. This information is even better for higher degree of automation, so far I need to do puppet cert --clean puppetagent1.test.com on puppet master in a VT100 session. Thanks for the pointer. http://docs.puppetlabs.com/guides/rest_api.html#certificate-request -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.