Thanks Pete, but unfortunately that wont work. The nodes are out of my control, and all I can do is to provide their owners client certs via web gui. In addition to that, I would need multiple CA's, as the clients (and puppetmasters) would be destinated for different owners, and they shouldnt share the CA.
On Wednesday, February 20, 2013 2:15:33 AM UTC, Pete wrote: > > You might have better luck using something like FreeIPA and using it's ca > cert and setting up certs for each node and using those as the puppet certs. > > This may help. > http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ > > I had a go at setting it up but I am using FreeIPA 3 and the steps need > some changing for that so your mileage may vary. > > > On 20 February 2013 06:15, <[email protected] <javascript:>> wrote: > >> Dear Felix, >> >> I think you're getting it wrong, let me clarify it a bit. The goal of >> this is to be able to write web interface for generating puppetmasters CA's >> and client certificates on demand. An example: install 3 puppetmasters with >> loadbalancer in front. Use web interface to generate CA and certificates >> for chosen clients (lets say, 10 machines). Deploy such generated CA's on >> puppetmasters, and relevant bits on puppet clients to authorize them >> against these puppetmasters. Whenever there's need for change, use that CA >> via web interface to add and delete client certificates, redeploy them on >> puppetmasters and so on. This, while doable via Subprocess functions >> (Python is the language of choice for me, but that doesnt really matters) >> and calls to relevant puppet system commands is extremely ugly and not >> flexible solution. I would love to do it via openssl library, but to do so, >> I'd need to have a workable way to build CA's and sign (and revoke) client >> certs via openssl command - so far I cant reach that goal. I hope this >> makes more sense now. >> >> Regards, >> S. >> >> On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: >> >>> On 02/16/2013 12:20 PM, [email protected] wrote: >>> > after creating CA and client cert and applying them to puppetmaster, >>> it >>> > complains with: >>> >>> Wait, what? You create a new CA, even after agents have already been >>> certified, then create new agent certificates? >>> >>> If your CA changes, you will have to terminate all the (now deprecated) >>> agent certificates and sign new certificates for all agents. >>> >>> Basically, I would expect the outcome you are observing, and you should >>> just follow the instructions given in your log excerpt. Note that you >>> are *not* supposed to remove the CA from the master, only the copy of >>> the agent's certificate. >>> >>> HTH, >>> Felix >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
