Dear Matt, On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: > > I think you're trying to over complicate the situation here. > > Yes its a single point of failure but unfortunately that is not going > to change anytime between now and maybe 6 months. >
I am aware of that, and I am fine with that. > > You do not need multiple CAs to use multiple puppet masters. The > client needs to have the setting ca_server set to the Puppet Master > that is the CA. You need to configure that Puppet master with ca = > true. The puppet masters you create need to be configured with ca = > false. You can have 300 different puppet masters and each client can > connect to the different ones as needed. > The thing is, the puppetmasters are exposed to puppet clients via loadbalancer, so they actually appear as one puppetmaster, therefore, they all need to have the same CA installed. > > If you need to limit which clients can connect to which puppet masters > then you should look at the auth.conf file. > > As for a web interface around certificate signing, when each client > connects into the CA it will submit its request and if autosign is > turned off it should be setup to wait for certificate. The web > interface can be a wrapper around the puppet cert face so you can get > a list of certificates signed and whats waiting to be signed. You can > even set it up to revoke or clean out a certificate. You do not need > to call to the command line to do this either, you can interface with > the puppet api from rubygems. > That, again, would require running puppetmaster per user, something I really, really want to avoid. > > > On Tue, Feb 19, 2013 at 3:15 PM, <[email protected] <javascript:>> > wrote: > > Dear Felix, > > > > I think you're getting it wrong, let me clarify it a bit. The goal of > this > > is to be able to write web interface for generating puppetmasters CA's > and > > client certificates on demand. An example: install 3 puppetmasters with > > loadbalancer in front. Use web interface to generate CA and certificates > for > > chosen clients (lets say, 10 machines). Deploy such generated CA's on > > puppetmasters, and relevant bits on puppet clients to authorize them > against > > these puppetmasters. Whenever there's need for change, use that CA via > web > > interface to add and delete client certificates, redeploy them on > > puppetmasters and so on. This, while doable via Subprocess functions > (Python > > is the language of choice for me, but that doesnt really matters) and > calls > > to relevant puppet system commands is extremely ugly and not flexible > > solution. I would love to do it via openssl library, but to do so, I'd > need > > to have a workable way to build CA's and sign (and revoke) client certs > via > > openssl command - so far I cant reach that goal. I hope this makes more > > sense now. > > > > Regards, > > S. > > > > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: > >> > >> On 02/16/2013 12:20 PM, [email protected] wrote: > >> > after creating CA and client cert and applying them to puppetmaster, > it > >> > complains with: > >> > >> Wait, what? You create a new CA, even after agents have already been > >> certified, then create new agent certificates? > >> > >> If your CA changes, you will have to terminate all the (now deprecated) > >> agent certificates and sign new certificates for all agents. > >> > >> Basically, I would expect the outcome you are observing, and you should > >> just follow the instructions given in your log excerpt. Note that you > >> are *not* supposed to remove the CA from the master, only the copy of > >> the agent's certificate. > >> > >> HTH, > >> Felix > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To post to this group, send email to > > [email protected]<javascript:>. > > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
