Hi, You may look into how mcollective or foreman[1] handles the certificate signing processes.
[1] http://theforeman.org Ohad On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <[email protected]> wrote: > Just to add: > > The reason I wanted to do this: > 1. I want to create the certificates before the VMs are created. The VMs > will need to run puppet client > 2. However, before a VM is created, I don't know the IP nor the FQDN of the > VM. That's why I'm thinking of using an arbitrary name. > 3. I want to use the same set of certs to authenticate the communication > between the VMs and another APACHE server. > > Any comments on how to do this is greatly appreciated. > > -Yushu > > > On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <[email protected]> wrote: > >> Thanks Jeff, >> >> Assuming we will worry about security later. >> >> Is it possible to use arbitrary name in both client cert's CN and in >> nodes.pp? >> >> E.g. in node.pp we have: >> >> node "MyMachine1" { xxx } >> >> In client's cert the CN="MyMachine1" >> >> Where MyMachine1 is neither the IP address nor the fqdn. >> >> Then when the client connects the master will look into its CN, and return >> the catalog of "MyMachine1". >> >> Thanks >> >> -Yushu >> >> >> >> >> >> >> >> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune <[email protected]> wrote: >> >>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <[email protected]> wrote: >>> > Hi experts, >>> > >>> > Is there a way to specify in the nodes.pp sections with the ip address >>> of >>> > the client? >>> > Currently I only saw instructions to use wildcarded hostnames. >>> > >>> > Thanks a lot >>> >>> You can configure [1] the master to use facter rather than the >>> certificate common name for the node name. Note, however, this poses >>> a risk since the fact list is presented by the agent and may be >>> forged. If you configure the master to use facter then you would have >>> to force the "hostname" to actually be the ipaddress by modifying the >>> hostname fact itself. >>> >>> I in no way recommend this configuration and actively discourage it. >>> It should do what you want though. >>> >>> node_name >>> How the puppetmaster determines the client’s identity and sets the >>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in >>> particular for determining which ‘node’ statement applies to the >>> client. Possible values are ‘cert’ (use the subject’s CN in the >>> client’s certificate) and ‘facter’ (use the hostname that the client >>> reported in its facts) >>> Default: cert >>> >>> [1] >>> http://docs.puppetlabs.com/references/latest/configuration.html#node_name >>> >>> Hope this helps, >>> -- >>> Jeff McCune >>> http://www.puppetlabs.com/ >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<puppet-users%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
