the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll ultimately need to re-sign the certs for clients when they expire. the default is 1 year though, so it[ll be a while. On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
> Yea, I'm new to puppet ... sounds like now I have to worry about certs > eventually expiring and regenerate/sign them to keep nodes happy? > > Seems Trevor suggests increasing TTL. How can I do this if I wanted > to? > > Thanks, > Jake > > On Apr 28, 9:30 am, Matt Wise <[email protected]> wrote: >> Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud >> Foreman for adding it as functionality though in their own code. For our >> situation, we ended up writing our own CGI script on the Puppet CA servers >> as well as a client-side script that runs periodically on the clients to >> verify whether or not their cert is still valid. When their cert gets >> close-to-expiring, it checks in with the CGI script and supplies the >> original CSR that the host used for its first cert request to puppet. Our >> CGI script then has permissions to run some openssl commands, and generates >> a whole new cert for the client and passes it back. This all happens over >> SSL of course, and is only allowed for clients that still have a valid >> certificate anyways. Its not pretty, but its how we solved the problem... >> and its worked so far. We have ~600 hosts and they each get a new cert every >> 25 days. >> >> Ideally there would be this functionality built into puppet... when a client >> checked in, the server would check if the cert is within X days of expiring. >> If it is, it would generate a new cert and pass it back to the client >> automatically. Of course this would be an 'option', but it seems like an >> obvious feature addition. >> >> I looked and could not find an actual bug report requesting this >> functionality explicitly, so I opened one: >> >> http://projects.puppetlabs.com/issues/7272 >> >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: >> >> >> >> >> >> >> >> >> >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <[email protected]> >>> wrote: >>> OK, just had to post this! I found a solution to my issues that may >>> help others. >> >>> http://glarizza.posterous.com/managing-puppet-ssl-certificates >> >>> fyi - as the original author of that script... the same functionality >>> exists within foreman. >> >>> Ohad >> >>> Basically a CGI script located on you CA Server. You can pass the >>> hostname/certname that you want to clean via http to the script and >>> have it clean it off the CA Server. More details in the link above. >>> This is working great for me and I'll be using it until similar >>> functionality is included by default in puppet. >> >>> Regards, >>> Jake >> >>> On Apr 14, 8:50 am, Jake - USPS <[email protected]> wrote: >>>> Nevermind, looks like its in 2.7.0rc1 >> >>>> http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... >>>> cb01221 (#3360) Add an allow_duplicate_certs option >> >>>> On Apr 14, 8:45 am,Jake-USPS<[email protected]> wrote: >> >>>>> Thanks for the reply. I'm just starting to understand puppet, so I >>>>> would like not to mess with that ... yet. It does look very >>>>> interesting though, so thanks for bringing that up. >> >>>>> Derek, >> >>>>> Thanks for the bug. That looks like it includes some things that I >>>>> would like ... like the allow duplicate cert and whatnot. It looks >>>>> like its status closed as of 14 hours ago. Does that mean it is in >>>>> some release of puppet now, or just that code it ready to eventually >>>>> be implemented? I'd like to start trying it out right away as my >>>>> 'solution' doesn't seem to work well with dashboard. >> >>>>> Thanks, >>>>> Jake >> >>>>> On Apr 14, 8:41 am, Ohad Levy <[email protected]> wrote: >> >>>>>> On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPS<[email protected]>wrote: >> >>>>>>> Also, what is foreman and how could it help. Not familiar with that >>>>>>> product. >> >>>>>> Foreman takes care for the entire process, things like provisioning, >>>>>> class >>>>>> assignments and reportings are all done though it (and many many other >>>>>> features). >> >>>>>> see http://theforeman.orgformoredetails. >> >>>>>> Ohad >> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group >>> athttp://groups.google.com/group/puppet-users?hl=en. >> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group >>> athttp://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
