Thanks for the response. I found it in the genconf now. Looks like default is 5y. I'll be changing it for my needs.
Thanks! Jake On May 3, 12:53 pm, Matt Wise <[email protected]> wrote: > the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll > ultimately need to re-sign the certs for clients when they expire. the > default is 1 year though, so it[ll be a while. > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote: > > > > > > > > > Yea, I'm new to puppet ... sounds like now I have to worry about certs > > eventually expiring and regenerate/sign them to keep nodes happy? > > > Seems Trevor suggests increasing TTL. How can I do this if I wanted > > to? > > > Thanks, > > Jake > > > On Apr 28, 9:30 am, Matt Wise <[email protected]> wrote: > >> Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud > >> Foreman for adding it as functionality though in their own code. For our > >> situation, we ended up writing our own CGI script on the Puppet CA servers > >> as well as a client-side script that runs periodically on the clients to > >> verify whether or not their cert is still valid. When their cert gets > >> close-to-expiring, it checks in with the CGI script and supplies the > >> original CSR that the host used for its first cert request to puppet. Our > >> CGI script then has permissions to run some openssl commands, and > >> generates a whole new cert for the client and passes it back. This all > >> happens over SSL of course, and is only allowed for clients that still > >> have a valid certificate anyways. Its not pretty, but its how we solved > >> the problem... and its worked so far. We have ~600 hosts and they each get > >> a new cert every 25 days. > > >> Ideally there would be this functionality built into puppet... when a > >> client checked in, the server would check if the cert is within X days of > >> expiring. If it is, it would generate a new cert and pass it back to the > >> client automatically. Of course this would be an 'option', but it seems > >> like an obvious feature addition. > > >> I looked and could not find an actual bug report requesting this > >> functionality explicitly, so I opened one: > > >>http://projects.puppetlabs.com/issues/7272 > > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <[email protected]> > >>> wrote: > >>> OK, just had to post this! I found a solution to my issues that may > >>> help others. > > >>>http://glarizza.posterous.com/managing-puppet-ssl-certificates > > >>> fyi - as the original author of that script... the same functionality > >>> exists within foreman. > > >>> Ohad > > >>> Basically a CGI script located on you CA Server. You can pass the > >>> hostname/certname that you want to clean via http to the script and > >>> have it clean it off the CA Server. More details in the link above. > >>> This is working great for me and I'll be using it until similar > >>> functionality is included by default in puppet. > > >>> Regards, > >>> Jake > > >>> On Apr 14, 8:50 am, Jake - USPS <[email protected]> wrote: > >>>> Nevermind, looks like its in 2.7.0rc1 > > >>>>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... > >>>> cb01221 (#3360) Add an allow_duplicate_certs option > > >>>> On Apr 14, 8:45 am,Jake-USPS<[email protected]> wrote: > > >>>>> Thanks for the reply. I'm just starting to understand puppet, so I > >>>>> would like not to mess with that ... yet. It does look very > >>>>> interesting though, so thanks for bringing that up. > > >>>>> Derek, > > >>>>> Thanks for the bug. That looks like it includes some things that I > >>>>> would like ... like the allow duplicate cert and whatnot. It looks > >>>>> like its status closed as of 14 hours ago. Does that mean it is in > >>>>> some release of puppet now, or just that code it ready to eventually > >>>>> be implemented? I'd like to start trying it out right away as my > >>>>> 'solution' doesn't seem to work well with dashboard. > > >>>>> Thanks, > >>>>> Jake > > >>>>> On Apr 14, 8:41 am, Ohad Levy <[email protected]> wrote: > > >>>>>> On Thu, Apr 14, 2011 at 4:31 > >>>>>> PM,Jake-USPS<[email protected]>wrote: > > >>>>>>> Also, what is foreman and how could it help. Not familiar with that > >>>>>>> product. > > >>>>>> Foreman takes care for the entire process, things like provisioning, > >>>>>> class > >>>>>> assignments and reportings are all done though it (and many many other > >>>>>> features). > > >>>>>> see http://theforeman.orgformoredetails. > > >>>>>> Ohad > > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to [email protected]. > >>> To unsubscribe from this group, send email to > >>> [email protected]. > >>> For more options, visit this group > >>> athttp://groups.google.com/group/puppet-users?hl=en. > > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to [email protected]. > >>> To unsubscribe from this group, send email to > >>> [email protected]. > >>> For more options, visit this group > >>> athttp://groups.google.com/group/puppet-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
