You can pretty easily do a curl or equivalent to see if the signed cert is there.
The URL will be something like http://$server/production/certificate/$hostname, but you'll probably need to do some SSL shenanigans. Quite a few others are actually doing this kind of query, so someone can probably pop in with details of it. On Apr 20, 2011, at 4:35 PM, Arm Adam wrote: > Thank you for the response, Max > > Is there any way for us to tell from the puppet master (command line > or REST) if a signed certificate has actually been picked up? Running > Kick just gives us a connection refused, so we can't really tell why > the connection was refused. We just sit around waiting and retrying > until it suddenly starts working. > > Arm. > > On Apr 20, 3:58 pm, Max Martin <[email protected]> wrote: >> Hi Arm, >> >> It sounds like the problem here is that your puppet agents are running as >> daemons, and kicking them isn't causing them to check for a signed cert. I >> would suggest that you run your agents using --no-daemonize, and set up a >> cron schedule for them to check in with the master, which will cause them to >> check for any signed certs. I'm CCing this to the public dev and user lists >> in case anyone else has any better ideas, and don't hesitate to reply again >> if you run into any more issues. >> >> Thanks for the feedback! >> >> >> >> >> >> >> >> >> >> On Wed, Apr 20, 2011 at 2:05 PM, Arm Adam <[email protected]> wrote: >>> This REST api is very interesting to us. However, one issue we have >>> is that we don't know when an agent has actually picked up the >>> certificates. For example, we bring a new puppet agent online and it >>> connects to the master to generate a certificate request. We sign the >>> request and get an immediate response from the puppet master >>> certificate command, but when we subsequently attempt to perform a >>> kick, it fails due to a connection refused. This will happen until >>> the agent actually picks up the signed certificate. >> >>> So, >> >>> 1) How can we determine if a certificate is signed AND has been picked >>> up by the agent? >>> 2) How can we force the agent to connect and pick up the signed >>> certificates without having access to the agent system. >> >>> Notes: >>> We don't want to have to connect to an agent. Only the master. >>> We don't have agent hostname prior to it coming online. According to >>> what we've seen online pre-generating and distributing keys is not an >>> option given that constraint. >> >>> Thank you for your help! >> >> -- >> Max Martin (404) 585-1840 >> Puppet Labshttp://www.puppetlabs.com > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > -- It isn't necessary to have relatives in Kansas City in order to be unhappy. -- Groucho Marx --------------------------------------------------------------------- Luke Kanies -|- http://puppetlabs.com -|- http://about.me/lak -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
