Re: [Puppet Users] puppet CA expired
Le 16/06/2011 20:12, Nathan Clemons a écrit : Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) yes i was planning to install cfengine when the first puppet appeard, i really liked the way of thinking of the creator that seemed to me a very good approach of the issue so i jumped in. as i needed to make change to all the nodes i simply recreated a 20year CA and got to everynode removing the ssl certs and sign again all nodes on the master. If someone knows how to spot a client coming to puppet and failing the ssl handcheck it would help a lot to spot the one i missed out if any ! :) regards, Jean. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
If you keep your nodes in a nodes.pp file, and you are logging nodes as they check in, you can run a little script that I run from time to time to find nodes that have stopped communicating: #!/bin/bash tail -2 /var/log/messages | grep Compiled catalog for | tr -s | cut -f 9 -d | cut -f 1 -d . | sort | uniq /tmp/nodes_checked_in cat /etc/puppet/manifests/nodes.pp | cut -f 2 -d ' | cut -f 1 -d . | sort | uniq /tmp/nodes_expected echo nodes checked in, but not expected ... nodes expected, but not checked in. diff /tmp/nodes_checked_in /tmp/nodes_expected | grep [] | sort ~Charles~ On Mon, Jun 27, 2011 at 8:52 AM, j...@squirk.org j...@squirk.org wrote: Le 16/06/2011 20:12, Nathan Clemons a écrit : Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) yes i was planning to install cfengine when the first puppet appeard, i really liked the way of thinking of the creator that seemed to me a very good approach of the issue so i jumped in. as i needed to make change to all the nodes i simply recreated a 20year CA and got to everynode removing the ssl certs and sign again all nodes on the master. If someone knows how to spot a client coming to puppet and failing the ssl handcheck it would help a lot to spot the one i missed out if any ! :) regards, Jean. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Mon, Jun 27, 2011 at 4:52 PM, j...@squirk.org j...@squirk.org wrote: Le 16/06/2011 20:12, Nathan Clemons a écrit : Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) yes i was planning to install cfengine when the first puppet appeard, i really liked the way of thinking of the creator that seemed to me a very good approach of the issue so i jumped in. as i needed to make change to all the nodes i simply recreated a 20year CA and got to everynode removing the ssl certs and sign again all nodes on the master. If someone knows how to spot a client coming to puppet and failing the ssl handcheck it would help a lot to spot the one i missed out if any ! :) one simple way is simply to look at foreman puppet certificate list. you can also query it via the api, and evaluate the certificate expire date. Ohad regards, Jean. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: hi, my puppet CA expired. Anyone knows how to solve the problem and extend the validity of the CA ? I mean without recreating one and going on each node to change the certs (that is what puppet is made to prevent, going to each node ^^) regards, Jean. Pretty sure you can't actually extend the validity of the CA cert. Unfortunately, I don't think there's much that can be done at this point without touching each node. I did open up #7962[1] so we can work out exactly what the safety net should look like to help prevent this from happening to other people. [1] http://projects.puppetlabs.com/issues/7962 -- Jacob Helwig signature.asc Description: Digital signature
Re: [Puppet Users] puppet CA expired
What's the length of time on the CA cert? -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig ja...@puppetlabs.com wrote: On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: hi, my puppet CA expired. Anyone knows how to solve the problem and extend the validity of the CA ? I mean without recreating one and going on each node to change the certs (that is what puppet is made to prevent, going to each node ^^) regards, Jean. Pretty sure you can't actually extend the validity of the CA cert. Unfortunately, I don't think there's much that can be done at this point without touching each node. I did open up #7962[1] so we can work out exactly what the safety net should look like to help prevent this from happening to other people. [1] http://projects.puppetlabs.com/issues/7962 -- Jacob Helwig -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQGcBAEBAgAGBQJN+kAOAAoJEHJabXWGiqEBAQ8L/RVhorA/f49gilPW26X82BID aGYWFajNg5oBI1OtrieA9J//qNe9HRUUy8xWhq+S+B69FoQ4hU6ocfTH1eXDB8BN NM1rwuuqLpTvn1Gguxs3qTMPNyUEqMwugesH1XE7MOUH7XE10SgWqZwBpVpiJBPe cMctwUbgN6CfLD1F+wWKfuv9n1L4NvS5AcXj2WjgHbAjAAZx50m3gGIni5U6gF4+ GTRRxABtAEv0atsvUUO8kxecBhR1N+ZCbQAhk5PcJnKD5CW+7vqxxoC+K0D7BZNZ bRKk69IyG/ZFZnMbnzPNdYY2Ol9HE4ClnyydUq7r4uNdG5DbLg5sCPSgZXgAJRzt l5N3k4uNSWmnRco5zFmRAxV7YfzSu6o8ZueC07yiu8EeGDpEVWPg29esqUSm7Uqw 47s2uENGJ2mRr/NfN96YsMjPm2+leKUa37/YcQTdfswdQdkCNGyt/kt5fmncSnYX n2DwQ1CmHNQp1gf3wUzSqsIJmlEBKfgSQnTbIyAHBQ== =oopZ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
5 years, IIRC. -- Jacob Helwig On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons wrote: What's the length of time on the CA cert? On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig ja...@puppetlabs.com wrote: On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: hi, my puppet CA expired. Anyone knows how to solve the problem and extend the validity of the CA ? I mean without recreating one and going on each node to change the certs (that is what puppet is made to prevent, going to each node ^^) Pretty sure you can't actually extend the validity of the CA cert. Unfortunately, I don't think there's much that can be done at this point without touching each node. I did open up #7962[1] so we can work out exactly what the safety net should look like to help prevent this from happening to other people. [1] http://projects.puppetlabs.com/issues/7962 signature.asc Description: Digital signature
Re: [Puppet Users] puppet CA expired
Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Thu, Jun 16, 2011 at 11:09 AM, Jacob Helwig ja...@puppetlabs.com wrote: 5 years, IIRC. -- Jacob Helwig On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons wrote: What's the length of time on the CA cert? On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig ja...@puppetlabs.com wrote: On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: hi, my puppet CA expired. Anyone knows how to solve the problem and extend the validity of the CA ? I mean without recreating one and going on each node to change the certs (that is what puppet is made to prevent, going to each node ^^) Pretty sure you can't actually extend the validity of the CA cert. Unfortunately, I don't think there's much that can be done at this point without touching each node. I did open up #7962[1] so we can work out exactly what the safety net should look like to help prevent this from happening to other people. [1] http://projects.puppetlabs.com/issues/7962 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQGcBAEBAgAGBQJN+kbcAAoJEHJabXWGiqEBIgAL/0RX6X/eUll4EZCCZWWaEdby +fL9LQvyEPV/IiKeafpbn3Kct3FKIFEgMWOH7xubgp0x36u7jMCmDh4MXiFGOEPL BzNyLxPhkTQPG6Ml44INaiQ6wshdIlqFe3HfjtxlQZP/CSVBbPMBIcVwpgaAA6n8 sJidtfSYPfltbaRB2XMKpIg+ltMG4SEJvCndPBumPZjbrOKsOd4HHcL4MGdp7ump ryPj2E9+PXFZ/TZ+oNPSn30v0fX1om/UCHqUelkr6/SJls9P68VWsM7hVIB5Jc4P 3MwhBWHOzKV+8C7KZsQcUW3qywRCIF3Rb/APM8Ikol7A/fMYQJYvD5QgeVBygoPx jwoPoIZAVaxuCXMyOvvaPegsoc0qAk09RlYQXX8EhzwM7NyiatTVojQCZTfecEnO diDRs5U/rpjZ2gxrMIGkJMImRKGIDl9e7D+ez1IwY0XyR6b2vYbroeKP8PTG/L/C PU6U6MQnzLQ6Eovl+JOifRVZA3+U1nCxNK3ErAopvw== =mnf2 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Thu, Jun 16, 2011 at 11:12 AM, Nathan Clemons nat...@livemocha.comwrote: Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) As an FYI, 5years is the default. When you initially create a CA, you may use the ca_ttl setting to extend this longer. [master] ca_ttl = 20y -Jeff -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] puppet CA expired
[master] ca_ttl = 20y Neat trick. By the time it expires you'll be gone! :P -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet CA expired
hi, my puppet CA expired. Anyone knows how to solve the problem and extend the validity of the CA ? I mean without recreating one and going on each node to change the certs (that is what puppet is made to prevent, going to each node ^^) regards, Jean. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.