Thanks a lot for all of you.
Another question: I saw the CN=ca for the certificate authority.
(e.g. puppetca --list --print --all shows:
...
Issuer: CN=ca
...
Subject: CN=asdf
...
)
Is there a way to change the "ca" to some other name? E.g. foo ?
The reason for this is when I use the certificates generated by this ca in
the apache server, firefox will block it if I regenerate the certs of
puppet. (I.e. a cert provided by the CA with CN=ca is already there, the new
one has a different key, so return failure).
Thanks.
-Yushu
'
On Wed, Aug 11, 2010 at 1:16 PM, Teyo Tyree <[email protected]> wrote:
> Yushu,
>
> This should work...
>
> 1. Create the cert with an arbitrary name (puppetca --generate
> foo.somethingrandom.bar)
> 2. You will need some process to sign the cert and copy the private keys to
> the client vm because they don't exist at cert creation time. Copying
> private keys about is generally frowned upon from a security perspective,
> but if you want to pregenerate the certs you don't have much choice.
> 3. In puppet.conf on the client, set the certname option to
> foo.somethingrandom.bar in the [puppetd] section.
>
> Cheers,
> Teyo
>
> On Wed, Aug 11, 2010 at 12:19 PM, Ohad Levy <[email protected]> wrote:
>
>> Hi,
>>
>> You may look into how mcollective or foreman[1] handles the certificate
>> signing processes.
>>
>> [1] http://theforeman.org
>>
>> Ohad
>>
>>
>> On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <[email protected]> wrote:
>>
>>> Just to add:
>>>
>>> The reason I wanted to do this:
>>> 1. I want to create the certificates before the VMs are created. The VMs
>>> will need to run puppet client
>>> 2. However, before a VM is created, I don't know the IP nor the FQDN of
>>> the VM. That's why I'm thinking of using an arbitrary name.
>>> 3. I want to use the same set of certs to authenticate the communication
>>> between the VMs and another APACHE server.
>>>
>>> Any comments on how to do this is greatly appreciated.
>>>
>>> -Yushu
>>>
>>>
>>> On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <[email protected]> wrote:
>>>
>>>> Thanks Jeff,
>>>>
>>>> Assuming we will worry about security later.
>>>>
>>>> Is it possible to use arbitrary name in both client cert's CN and in
>>>> nodes.pp?
>>>>
>>>> E.g. in node.pp we have:
>>>>
>>>> node "MyMachine1" { xxx }
>>>>
>>>> In client's cert the CN="MyMachine1"
>>>>
>>>> Where MyMachine1 is neither the IP address nor the fqdn.
>>>>
>>>> Then when the client connects the master will look into its CN, and
>>>> return the catalog of "MyMachine1".
>>>>
>>>> Thanks
>>>>
>>>> -Yushu
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune <[email protected]>wrote:
>>>>
>>>>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <[email protected]>
>>>>> wrote:
>>>>> > Hi experts,
>>>>> >
>>>>> > Is there a way to specify in the nodes.pp sections with the ip
>>>>> address of
>>>>> > the client?
>>>>> > Currently I only saw instructions to use wildcarded hostnames.
>>>>> >
>>>>> > Thanks a lot
>>>>>
>>>>> You can configure [1] the master to use facter rather than the
>>>>> certificate common name for the node name. Note, however, this poses
>>>>> a risk since the fact list is presented by the agent and may be
>>>>> forged. If you configure the master to use facter then you would have
>>>>> to force the "hostname" to actually be the ipaddress by modifying the
>>>>> hostname fact itself.
>>>>>
>>>>> I in no way recommend this configuration and actively discourage it.
>>>>> It should do what you want though.
>>>>>
>>>>> node_name
>>>>> How the puppetmaster determines the client’s identity and sets the
>>>>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in
>>>>> particular for determining which ‘node’ statement applies to the
>>>>> client. Possible values are ‘cert’ (use the subject’s CN in the
>>>>> client’s certificate) and ‘facter’ (use the hostname that the client
>>>>> reported in its facts)
>>>>> Default: cert
>>>>>
>>>>> [1]
>>>>> http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>>>>>
>>>>> Hope this helps,
>>>>> --
>>>>> Jeff McCune
>>>>> http://www.puppetlabs.com/
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Puppet Users" group.
>>>>> To post to this group, send email to [email protected].
>>>>> To unsubscribe from this group, send email to
>>>>> [email protected]<puppet-users%[email protected]>
>>>>> .
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>>
>>>>>
>>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to [email protected].
>>> To unsubscribe from this group, send email to
>>> [email protected]<puppet-users%[email protected]>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected]<puppet-users%[email protected]>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> --
> Teyo Tyree :: www.puppetlabs.com:: +1.503.208.4475
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<puppet-users%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
