Re: [Puppet Users] using puppet ssl certs for other applications

Fri, 06 Aug 2010 20:53:05 -0700 

Also, I have something like this for creating the certificates, works just
about fine, and helps in not being paranoid about drawbacks of using
puppet's certs:

class certs{


                                package  {"openssl":


ensure=>present,

                                                 }

                                file
{"/var/local/certificates/certs.sh":
                                                        ensure=>"present",

content=>template("certs.erb"),
                                                        owner=>"puppet",
                                                        group=>"puppet",
                                                        mode=>"755",

require=>Package["openssl"],
                                                }

                                exec {"sh certs.sh":

cwd=>"/var/local/certificates",

creates=>["/etc/ldap/server.crt","/etc/ldap/server.key","$

path=>"/usr/bin:/usr/sbin:/bin:/sbin",

require=>File["/var/local/certificates/certs.sh"],
                                        }

                        }


certs.erb:

#!/bin/sh

openssl req -new -x509 -nodes -days 1826 \
 -out /etc/ldap/server.crt \
 -keyout /etc/ldap/server.key  \
 -subj /CN=<%= fqdn %>

# Generate the .pem file
cat /etc/ldap/server.crt \
 /etc/ldap/server.key \
 > /etc/ldap/server.pem

chown openldap:openldap /etc/ldap/server.pem
chown openldap:openldap /etc/ldap/server.crt
chown openldap:openldap /etc/ldap/server.key


I could just add a few lines of copying certs to other locations and set the
required permissions.

On Fri, Aug 6, 2010 at 11:45 PM, Richard Crowley <[email protected]> wrote:

> I use Puppet's certs to setup stunnels and do all other private
> communication through those. I also reference them directly rather
> than copying them around.  I haven't gone through the whole firedrill
> yet but this at least seems like it won't make moving services between
> hosts more painful.
>
> Rich
> (iPhoned it in.)
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<puppet-users%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to