Re: [Puppet Users] Re: Disabling Certificates
On Thu, Nov 11, 2010 at 11:53 PM, Derek J. Balling wrote: > > On Nov 11, 2010, at 6:26 PM, donavan wrote: >> From your comment in #3958 I think autosign[1] with "*.domain.tld" >> would work for you. > > Nope. Because "autosign" doesn't also "auto-overwrite". Actually it has meant that in some versions, but it wasn't intentional. 0.25.x up to 0.25.5 would overwrite. "Add a flag to make puppet ca behavior on receipt of duplicate request configurable" http://projects.puppetlabs.com/issues/3360 That's the bug you want to track. We need to make it configurable so you can indeed specify that autosign means overwrite if that's what you want. In the meantime if you really want to get this behavior, you can set up a regular cron job on the CA to discard the existing client info so you can always count on overwrite working. Another approach is to use a randomly generated certname. I've used UUIDs in the past to achieve this. This may not be appropriate for your environment, but note that if you really need to get a mapping from such random certnames to hostnames, your external node classifier can look inside the fact cache on the puppetmaster to retrieve this info. The fact cache is written to disk *before* the external node classifier is consulted. > > - New Host "foo001.domain.tld" is created > - Certs are exchanged for foo001 with the puppetmaster, life is good, > autosigned > - Host foo001.domain.tld is retired > - Replacement Host "foo001.domain.tld" is created > - foo001 tries to talk to puppetmaster, presenting brand new certs. They > don't match what the master has for that host. It tells foo001 to pound-sand. > > At that point, I have to manually log into the CA and clean out the > certificates for foo001. I also have to go out to foo001, and blow away all > ITS certs, since it's been given a cert it has no idea what to do with. > > It's just ugly. Like I said in my ticket notes, I'll concede that for some > people, it's a necessity, but there's clearly also a set of people for whom > it is just unnecessary pain and suffering. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Nigel Kersten - Puppet Labs - http://www.puppetlabs.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Disabling Certificates
Derek J. Balling wrote: > It's just ugly. Like I said in my ticket notes, I'll concede that for > some people, it's a necessity, but there's clearly also a set of > people for whom it is just unnecessary pain and suffering. > It's been my experience that SSL (or the requirement for some form of this type of security even if they disliked SSL) is actually required by the vast majority of people using Puppet. Certainly if you have any security requirements you need some kind of encryption/authentication mechanism. Without one - anyone can compromise your configuration and a daemon generally running with root privileges. But I concede there might be shops out there who don't care about this issue. I doubt it will change in a hurry - removing SSL from Puppet or abstracting it into a module as part of a refactor of security would be a large undertaking. Regards James Turnbull -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Disabling Certificates
Hi Derek, 2010/11/12 Derek J. Balling > [...] > Nope. Because "autosign" doesn't also "auto-overwrite". > > - New Host "foo001.domain.tld" is created > - Certs are exchanged for foo001 with the puppetmaster, life is good, > autosigned > - Host foo001.domain.tld is retired > - Replacement Host "foo001.domain.tld" is created > - foo001 tries to talk to puppetmaster, presenting brand new certs. They > don't match what the master has for that host. It tells foo001 to > pound-sand. > > At that point, I have to manually log into the CA and clean out the > certificates for foo001. I also have to go out to foo001, and blow away all > ITS certs, since it's been given a cert it has no idea what to do with. > removing the certificate is part of the retirement process, as well as removing the DNS entry, free up the IP in the CMDB, remove hardware from rack and what else needs to be done when a box is retired. Nearly all of this stuff could be scripted except the removal from the rack. Kind regards, Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Disabling Certificates
On Nov 11, 2010, at 6:26 PM, donavan wrote: > From your comment in #3958 I think autosign[1] with "*.domain.tld" > would work for you. Nope. Because "autosign" doesn't also "auto-overwrite". - New Host "foo001.domain.tld" is created - Certs are exchanged for foo001 with the puppetmaster, life is good, autosigned - Host foo001.domain.tld is retired - Replacement Host "foo001.domain.tld" is created - foo001 tries to talk to puppetmaster, presenting brand new certs. They don't match what the master has for that host. It tells foo001 to pound-sand. At that point, I have to manually log into the CA and clean out the certificates for foo001. I also have to go out to foo001, and blow away all ITS certs, since it's been given a cert it has no idea what to do with. It's just ugly. Like I said in my ticket notes, I'll concede that for some people, it's a necessity, but there's clearly also a set of people for whom it is just unnecessary pain and suffering. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.