On 22 December 2010 21:43, Dan Trainor <[email protected]> wrote: > Hi - >
[snip] > From what I understand, Puppet's client/server authentication system - > using SSL - is portable. I believe that I should be able to use the > same SSL certificates and keys (and even the same CA) with regard to > other SSL/TLS connections, as well. [snip] I've used SSL and x509 certificates a fair bit, but I'm new to puppet and away from my install at the moment - so you should check what I'm saying in case puppet uses a x509 feature I've forgotten about or didn't know in the first place - x509 is not a small standard. > curl -k -v --cert certs/job01.vmserver02.dev.az.domain.local.pem --key > private_keys/job01.vmserver02.dev.az.toolbox.local.pem > https://10.1.0.165/test.htm First, the "-k" will cause curl to ignore any cert problems on the server, so you probably want to try again without this to make sure. > I got a little smile that the request did in fact work without error > (save having the client use the CA certificiate - I'll re-visit that > later), but also concerned because I understand this should not have > worked. I ran puppetca --clean against this particular Puppet node's > certificate, and expected it to just plain not work any more, and > thereby updating my Puppet master's key store. This is expected behavior. If you clean the puppetd's certificate, AFAIK all it does is delete it from the puppetca. It doesn't alter either the CA certificate (on the puppetmaster) or the client certificate. To an external party (like apache) nothing has changed. The puppetmaster will no-longer talk to the client, but only because it no longer knows anything about the certificate in it's cert repository. The feature of x509 that you will need to investigate is certificate revocation and certificate revocation lists - CRL's. CRLs are lists of certificates that are no longer considered valid by the CA - even though the certificate subject or other data is still valid. This gives the CA a way of blacklisting certificates which may have been compromised or otherwise judged to be no longer acceptable. If you *have* to reject the clients on the basis of their certificates, I think you will have to generate a CRL of the client certificates as you clean them from the puppetmaster. >From the apache side of things, I think the SSLCARevocationPath directive is what you need: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLCARevocationPath Hope that helps. > Thanks! > -dant -- Jonathan Barber <[email protected]> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
