Oh and to add to my message. The benefit of this is there is no
tomfoolery with multiple CAs and the confusion that will cause. If the
concern is about letting one puppet client connect to two different
pools then you can limit who can retrieve their catalog either through
the auth.conf or directiv
I think you're missing what I'm trying to convey. When you run via
Apache or Nginx you are doing SSL termination at the apache and
forwarding the requests to a puppetmaster application if you use say
passenger. Its not so different than an F5. While I'm not giving you
exact details on how to do it
Dear Matt,
On Wednesday, February 20, 2013 10:39:51 PM UTC, Matt wrote:
>
> I run an F5 load balancer with SSL termination at the F5 and I dont
> need to put the CA cert anywhere except the F5. The actual CA signs
> the certs. The CA cert is only really used to authenticate the client
> cert. T
I run an F5 load balancer with SSL termination at the F5 and I dont
need to put the CA cert anywhere except the F5. The actual CA signs
the certs. The CA cert is only really used to authenticate the client
cert. This gives the appearance to my puppet clients that I only have
one puppet master when
Dear Matt,
On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote:
>
> I think you're trying to over complicate the situation here.
>
> Yes its a single point of failure but unfortunately that is not going
> to change anytime between now and maybe 6 months.
>
I am aware of that, and I am fi
I think you're trying to over complicate the situation here.
Yes its a single point of failure but unfortunately that is not going
to change anytime between now and maybe 6 months.
You do not need multiple CAs to use multiple puppet masters. The
client needs to have the setting ca_server set to t
Howdy!
I might suggest starting here:
http://projects.puppetlabs.com/projects/1/wiki/certificates_and_security
It talks a little about setting up a seperate CA - this is pretty
commonly done for HA environments.
As far as pre-generating the client certs without Puppet, I'd have a
look at s
On 02/20/2013 02:38 PM, spankthes...@gmail.com wrote:
> Ah, right. I forgot step 5. Which is replacing the CA with one created
> using openssl. Of course, all other certs are obsolete after you do
> that, so you can use your shiny new process of certifying agents to
> make
> the
On Wednesday, February 20, 2013 12:58:44 PM UTC, Felix.Frank wrote:
>
> On 02/20/2013 01:28 PM, spankt...@gmail.com wrote:
> > And what would be the purpose of that? That still includes using puppet
> > to create CA, and I want to avoid that completely.
>
> Ah, right. I forgot step 5. Which i
Hi again,
to answer the question more succinctly: The purpose of the proposed
process is to find and eliminate the points of failure.
Once you've completed all those iterations, you will very well know what
works and how.
Cheers,
Felix
On 02/20/2013 01:58 PM, Felix Frank wrote:
>> And what woul
On 02/20/2013 01:28 PM, spankthes...@gmail.com wrote:
> And what would be the purpose of that? That still includes using puppet
> to create CA, and I want to avoid that completely.
Ah, right. I forgot step 5. Which is replacing the CA with one created
using openssl. Of course, all other certs are
On Wednesday, February 20, 2013 12:00:07 PM UTC, Felix.Frank wrote:
>
> On 02/20/2013 12:02 PM, spankt...@gmail.com wrote:
> >
> > Regardless of how much use it has, it is a spof. Once it's down, whole
> > cluster malfunctiones. With monolithic CA server down, all clusters are
> > malfunctio
On 02/20/2013 12:02 PM, spankthes...@gmail.com wrote:
>
> Regardless of how much use it has, it is a spof. Once it's down, whole
> cluster malfunctiones. With monolithic CA server down, all clusters are
> malfunctioning.
I disagree. An SSL connection requires two peers and at least one signed
cer
Dear Felix,
On Wednesday, February 20, 2013 10:51:50 AM UTC, Felix.Frank wrote:
>
> On 02/20/2013 11:37 AM, spankt...@gmail.com wrote:
> > Incorrect. You *do* want to create new CA's. What about different
> > puppetmasters pools? Imagine you and me, we both want a puppetmasters
> > setup with
On 02/20/2013 11:37 AM, spankthes...@gmail.com wrote:
> Incorrect. You *do* want to create new CA's. What about different
> puppetmasters pools? Imagine you and me, we both want a puppetmasters
> setup with LB's in front of them, for our own machines, and we'd rather
> want to have different CA's f
Dear Felix,
On Wednesday, February 20, 2013 9:58:45 AM UTC, Felix.Frank wrote:
>
> Hi,
>
> I think I understood your goal well enough, and it's sound in and of
> itself, but I believe you have some misconceptions on how to implement
> this.
>
> First off, so we're on the same page: The CA is y
Hi,
I think I understood your goal well enough, and it's sound in and of
itself, but I believe you have some misconceptions on how to implement this.
First off, so we're on the same page: The CA is your root certificate.
It's a self signed certificate shared by all masters. Only the masters
have
Thanks Pete, but unfortunately that wont work. The nodes are out of my
control, and all I can do is to provide their owners client certs via web
gui. In addition to that, I would need multiple CA's, as the clients (and
puppetmasters) would be destinated for different owners, and they shouldnt
s
You might have better luck using something like FreeIPA and using it's ca
cert and setting up certs for each node and using those as the puppet certs.
This may help.
http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/
I had a go at setting it up but I am using FreeIPA 3 and the steps
Dear Felix,
I think you're getting it wrong, let me clarify it a bit. The goal of this
is to be able to write web interface for generating puppetmasters CA's and
client certificates on demand. An example: install 3 puppetmasters with
loadbalancer in front. Use web interface to generate CA and c
On 02/16/2013 12:20 PM, spankthes...@gmail.com wrote:
> after creating CA and client cert and applying them to puppetmaster, it
> complains with:
Wait, what? You create a new CA, even after agents have already been
certified, then create new agent certificates?
If your CA changes, you will have t
I am wondering how to manually (using openssl instead of puppet cert
command) create CA that would be usable by Puppet? The goal would be to
script creation of such CA's to deploy them on multiple puppetmasters,
instead of certificates being created on them via puppet cert command.
Any ideas
22 matches
Mail list logo
