Hi, I think I understood your goal well enough, and it's sound in and of itself, but I believe you have some misconceptions on how to implement this.
First off, so we're on the same page: The CA is your root certificate. It's a self signed certificate shared by all masters. Only the masters have its private key. They use it to sign all other puppet related certificates. A client certificate is generated by a master based on the CA and a certificate signing request from the agent. It's necessary to either a) have the CSR generated agent side, so the agent has the private key generated itself or b) do all the generating master side and implement a secure way to push the agent's private key to the agent Let's cut right to the bottom line: You do *not* want to create new CAs, ever. You make a CA, make sure its private key is well protected, and stick with that. If you need deploy aditional masters at various times, you need a process that will supply them with the CA and its key. I'm not sure wether you can separate the puppet master from the puppet ca network-wise, but if it's possible, it would be infinitely simpler to stick to a monolithic ca server and do only the other agent/master interaction through loadbalancing. I believe that your core problem at the moment is private key management, but that's only a guess. On 02/19/2013 09:15 PM, spankthes...@gmail.com wrote: > Dear Felix, > > I think you're getting it wrong, let me clarify it a bit. The goal of > this is to be able to write web interface for generating puppetmasters > CA's and client certificates on demand. An example: install 3 > puppetmasters with loadbalancer in front. Use web interface to generate > CA and certificates for chosen clients (lets say, 10 machines). Deploy > such generated CA's on puppetmasters, and relevant bits on puppet > clients to authorize them against these puppetmasters. Whenever there's > need for change, use that CA via web interface to add and delete client > certificates, redeploy them on puppetmasters and so on. This, while > doable via Subprocess functions (Python is the language of choice for > me, but that doesnt really matters) and calls to relevant puppet system > commands is extremely ugly and not flexible solution. I would love to do > it via openssl library, but to do so, I'd need to have a workable way to > build CA's and sign (and revoke) client certs via openssl command - so > far I cant reach that goal. I hope this makes more sense now. > > Regards, > S. > > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: > > On 02/16/2013 12:20 PM, spankt...@gmail.com <javascript:> wrote: > > after creating CA and client cert and applying them to > puppetmaster, it > > complains with: > > Wait, what? You create a new CA, even after agents have already been > certified, then create new agent certificates? > > If your CA changes, you will have to terminate all the (now deprecated) > agent certificates and sign new certificates for all agents. > > Basically, I would expect the outcome you are observing, and you should > just follow the instructions given in your log excerpt. Note that you > are *not* supposed to remove the CA from the master, only the copy of > the agent's certificate. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
