On Fri, Apr 13, 2012 at 11:40 AM, Chip Schweiss <chip.schwe...@gmail.com>wrote:
> I'm in the process of scalling my puppet master to two server with a > separate CA. My plan was to establish a new CA and reissue > certificates. Part way through the process I noticed a behavior that > seems a bit alarming. > > With one of my clients pointing to the new CA and new Puppetmaster but > with the old certificate I ran a 'puppetd --test --server > puppet01.mydomain' > > I was expecting it to fail validation and then regenerate the client > certificate. However it ran without error. > > Thinking maybe it's still hitting the orginal CA, I backed-up and wiped > the ssl dir on the puppetmaster and restarted the pupetmaster to generate a > new CA. The client still works. There are no signed certificates for > this client on either puppetmaster or CA now and it still runs. > Are you sure you're wiping the SSL dir that is actually in use? The master isn't being started with --no-ca and you have another CA with autosign on? > > Am I missing something about how the puppetmaster decides it's okay to > talk to a client, or is all the security simply on the client side, and the > puppetmaster trusts any puppet client? > The agent and master need certs signed by the same CA. Are you positive this wasn't the case? What puppet version? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.