Dear Matt, On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: > > I think you're trying to over complicate the situation here. > > Yes its a single point of failure but unfortunately that is not going > to change anytime between now and maybe 6 months. >
I am aware of that, and I am fine with that. > > You do not need multiple CAs to use multiple puppet masters. The > client needs to have the setting ca_server set to the Puppet Master > that is the CA. You need to configure that Puppet master with ca = > true. The puppet masters you create need to be configured with ca = > false. You can have 300 different puppet masters and each client can > connect to the different ones as needed. > The thing is, the puppetmasters are exposed to puppet clients via loadbalancer, so they actually appear as one puppetmaster, therefore, they all need to have the same CA installed. > > If you need to limit which clients can connect to which puppet masters > then you should look at the auth.conf file. > > As for a web interface around certificate signing, when each client > connects into the CA it will submit its request and if autosign is > turned off it should be setup to wait for certificate. The web > interface can be a wrapper around the puppet cert face so you can get > a list of certificates signed and whats waiting to be signed. You can > even set it up to revoke or clean out a certificate. You do not need > to call to the command line to do this either, you can interface with > the puppet api from rubygems. > That, again, would require running puppetmaster per user, something I really, really want to avoid. > > > On Tue, Feb 19, 2013 at 3:15 PM, <spankt...@gmail.com <javascript:>> > wrote: > > Dear Felix, > > > > I think you're getting it wrong, let me clarify it a bit. The goal of > this > > is to be able to write web interface for generating puppetmasters CA's > and > > client certificates on demand. An example: install 3 puppetmasters with > > loadbalancer in front. Use web interface to generate CA and certificates > for > > chosen clients (lets say, 10 machines). Deploy such generated CA's on > > puppetmasters, and relevant bits on puppet clients to authorize them > against > > these puppetmasters. Whenever there's need for change, use that CA via > web > > interface to add and delete client certificates, redeploy them on > > puppetmasters and so on. This, while doable via Subprocess functions > (Python > > is the language of choice for me, but that doesnt really matters) and > calls > > to relevant puppet system commands is extremely ugly and not flexible > > solution. I would love to do it via openssl library, but to do so, I'd > need > > to have a workable way to build CA's and sign (and revoke) client certs > via > > openssl command - so far I cant reach that goal. I hope this makes more > > sense now. > > > > Regards, > > S. > > > > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: > >> > >> On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: > >> > after creating CA and client cert and applying them to puppetmaster, > it > >> > complains with: > >> > >> Wait, what? You create a new CA, even after agents have already been > >> certified, then create new agent certificates? > >> > >> If your CA changes, you will have to terminate all the (now deprecated) > >> agent certificates and sign new certificates for all agents. > >> > >> Basically, I would expect the outcome you are observing, and you should > >> just follow the instructions given in your log excerpt. Note that you > >> are *not* supposed to remove the CA from the master, only the copy of > >> the agent's certificate. > >> > >> HTH, > >> Felix > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to puppet-users...@googlegroups.com <javascript:>. > > To post to this group, send email to > > puppet...@googlegroups.com<javascript:>. > > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
