Yushu, This should work...
1. Create the cert with an arbitrary name (puppetca --generate foo.somethingrandom.bar) 2. You will need some process to sign the cert and copy the private keys to the client vm because they don't exist at cert creation time. Copying private keys about is generally frowned upon from a security perspective, but if you want to pregenerate the certs you don't have much choice. 3. In puppet.conf on the client, set the certname option to foo.somethingrandom.bar in the [puppetd] section. Cheers, Teyo On Wed, Aug 11, 2010 at 12:19 PM, Ohad Levy <[email protected]> wrote: > Hi, > > You may look into how mcollective or foreman[1] handles the certificate > signing processes. > > [1] http://theforeman.org > > Ohad > > > On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <[email protected]> wrote: > >> Just to add: >> >> The reason I wanted to do this: >> 1. I want to create the certificates before the VMs are created. The VMs >> will need to run puppet client >> 2. However, before a VM is created, I don't know the IP nor the FQDN of >> the VM. That's why I'm thinking of using an arbitrary name. >> 3. I want to use the same set of certs to authenticate the communication >> between the VMs and another APACHE server. >> >> Any comments on how to do this is greatly appreciated. >> >> -Yushu >> >> >> On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <[email protected]> wrote: >> >>> Thanks Jeff, >>> >>> Assuming we will worry about security later. >>> >>> Is it possible to use arbitrary name in both client cert's CN and in >>> nodes.pp? >>> >>> E.g. in node.pp we have: >>> >>> node "MyMachine1" { xxx } >>> >>> In client's cert the CN="MyMachine1" >>> >>> Where MyMachine1 is neither the IP address nor the fqdn. >>> >>> Then when the client connects the master will look into its CN, and >>> return the catalog of "MyMachine1". >>> >>> Thanks >>> >>> -Yushu >>> >>> >>> >>> >>> >>> >>> >>> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune <[email protected]>wrote: >>> >>>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <[email protected]> >>>> wrote: >>>> > Hi experts, >>>> > >>>> > Is there a way to specify in the nodes.pp sections with the ip address >>>> of >>>> > the client? >>>> > Currently I only saw instructions to use wildcarded hostnames. >>>> > >>>> > Thanks a lot >>>> >>>> You can configure [1] the master to use facter rather than the >>>> certificate common name for the node name. Note, however, this poses >>>> a risk since the fact list is presented by the agent and may be >>>> forged. If you configure the master to use facter then you would have >>>> to force the "hostname" to actually be the ipaddress by modifying the >>>> hostname fact itself. >>>> >>>> I in no way recommend this configuration and actively discourage it. >>>> It should do what you want though. >>>> >>>> node_name >>>> How the puppetmaster determines the client’s identity and sets the >>>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in >>>> particular for determining which ‘node’ statement applies to the >>>> client. Possible values are ‘cert’ (use the subject’s CN in the >>>> client’s certificate) and ‘facter’ (use the hostname that the client >>>> reported in its facts) >>>> Default: cert >>>> >>>> [1] >>>> http://docs.puppetlabs.com/references/latest/configuration.html#node_name >>>> >>>> Hope this helps, >>>> -- >>>> Jeff McCune >>>> http://www.puppetlabs.com/ >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]<puppet-users%[email protected]> >>>> . >>>> For more options, visit this group at >>>> http://groups.google.com/group/puppet-users?hl=en. >>>> >>>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<puppet-users%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Teyo Tyree :: www.puppetlabs.com:: +1.503.208.4475 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
