On Tue, May 3, 2011 at 9:29 PM, Jake - USPS <[email protected]> wrote:
> Thanks for the response. I found it in the genconf now. Looks like > default is 5y. I'll be changing it for my needs. > > note that the CA itself is signed for 5 years too... (and it seems that the CRL as well - which is wrong). Ohad > Thanks! > Jake > > On May 3, 12:53 pm, Matt Wise <[email protected]> wrote: > > the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll > ultimately need to re-sign the certs for clients when they expire. the > default is 1 year though, so it[ll be a while. > > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote: > > > > > > > > > > > > > > > > > Yea, I'm new to puppet ... sounds like now I have to worry about certs > > > eventually expiring and regenerate/sign them to keep nodes happy? > > > > > Seems Trevor suggests increasing TTL. How can I do this if I wanted > > > to? > > > > > Thanks, > > > Jake > > > > > On Apr 28, 9:30 am, Matt Wise <[email protected]> wrote: > > >> Unfortunately, this is still a 'missing feature' of Puppet IMO. I > applaud Foreman for adding it as functionality though in their own code. For > our situation, we ended up writing our own CGI script on the Puppet CA > servers as well as a client-side script that runs periodically on the > clients to verify whether or not their cert is still valid. When their cert > gets close-to-expiring, it checks in with the CGI script and supplies the > original CSR that the host used for its first cert request to puppet. Our > CGI script then has permissions to run some openssl commands, and generates > a whole new cert for the client and passes it back. This all happens over > SSL of course, and is only allowed for clients that still have a valid > certificate anyways. Its not pretty, but its how we solved the problem... > and its worked so far. We have ~600 hosts and they each get a new cert every > 25 days. > > > > >> Ideally there would be this functionality built into puppet... when a > client checked in, the server would check if the cert is within X days of > expiring. If it is, it would generate a new cert and pass it back to the > client automatically. Of course this would be an 'option', but it seems like > an obvious feature addition. > > > > >> I looked and could not find an actual bug report requesting this > functionality explicitly, so I opened one: > > > > >>http://projects.puppetlabs.com/issues/7272 > > > > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: > > > > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS < > [email protected]> wrote: > > >>> OK, just had to post this! I found a solution to my issues that may > > >>> help others. > > > > >>>http://glarizza.posterous.com/managing-puppet-ssl-certificates > > > > >>> fyi - as the original author of that script... the same functionality > exists within foreman. > > > > >>> Ohad > > > > >>> Basically a CGI script located on you CA Server. You can pass the > > >>> hostname/certname that you want to clean via http to the script and > > >>> have it clean it off the CA Server. More details in the link above. > > >>> This is working great for me and I'll be using it until similar > > >>> functionality is included by default in puppet. > > > > >>> Regards, > > >>> Jake > > > > >>> On Apr 14, 8:50 am, Jake - USPS <[email protected]> wrote: > > >>>> Nevermind, looks like its in 2.7.0rc1 > > > > >>>> > http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... > > >>>> cb01221 (#3360) Add an allow_duplicate_certs option > > > > >>>> On Apr 14, 8:45 am,Jake-USPS<[email protected]> wrote: > > > > >>>>> Thanks for the reply. I'm just starting to understand puppet, so I > > >>>>> would like not to mess with that ... yet. It does look very > > >>>>> interesting though, so thanks for bringing that up. > > > > >>>>> Derek, > > > > >>>>> Thanks for the bug. That looks like it includes some things that I > > >>>>> would like ... like the allow duplicate cert and whatnot. It looks > > >>>>> like its status closed as of 14 hours ago. Does that mean it is in > > >>>>> some release of puppet now, or just that code it ready to > eventually > > >>>>> be implemented? I'd like to start trying it out right away as my > > >>>>> 'solution' doesn't seem to work well with dashboard. > > > > >>>>> Thanks, > > >>>>> Jake > > > > >>>>> On Apr 14, 8:41 am, Ohad Levy <[email protected]> wrote: > > > > >>>>>> On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPS<[email protected] > >wrote: > > > > >>>>>>> Also, what is foreman and how could it help. Not familiar with > that > > >>>>>>> product. > > > > >>>>>> Foreman takes care for the entire process, things like > provisioning, class > > >>>>>> assignments and reportings are all done though it (and many many > other > > >>>>>> features). > > > > >>>>>> see http://theforeman.orgformoredetails. > > > > >>>>>> Ohad > > > > >>> -- > > >>> You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > >>> To post to this group, send email to [email protected]. > > >>> To unsubscribe from this group, send email to > [email protected]. > > >>> For more options, visit this group athttp:// > groups.google.com/group/puppet-users?hl=en. > > > > >>> -- > > >>> You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > >>> To post to this group, send email to [email protected]. > > >>> To unsubscribe from this group, send email to > [email protected]. > > >>> For more options, visit this group athttp:// > groups.google.com/group/puppet-users?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > [email protected]. > > > For more options, visit this group athttp:// > groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
