Dear Matt, On Wednesday, February 20, 2013 10:39:51 PM UTC, Matt wrote: > > I run an F5 load balancer with SSL termination at the F5 and I dont > need to put the CA cert anywhere except the F5. The actual CA signs > the certs. The CA cert is only really used to authenticate the client > cert. This gives the appearance to my puppet clients that I only have > one puppet master when in actuality I have around 4-5 per VIP. >
Unfortunately, I dont have F5 available and all I can have is software based load balancing, either in form of Haproxy (most probably) or Nginx (less probably). > > As for your last part I'm not really seeing how you think you would > need a puppetmaster per user. > As one puppetmaster can use one CA at a time to sign/revoke certificates, if you'd have multiple users, you would need multiple puppetmasters, to be sure that two (or more) users can use different CA's at the same time to sign/revoke their certs. Using openssl library and multiple instances of web app makes that possible, if using openssl to create CA's and signing/revoking certs is possible in first place. > > On Wed, Feb 20, 2013 at 2:59 PM, <[email protected] <javascript:>> > wrote: > > Dear Matt, > > > > > > On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: > >> > >> I think you're trying to over complicate the situation here. > >> > >> Yes its a single point of failure but unfortunately that is not going > >> to change anytime between now and maybe 6 months. > > > > > > I am aware of that, and I am fine with that. > > > >> > >> > >> You do not need multiple CAs to use multiple puppet masters. The > >> client needs to have the setting ca_server set to the Puppet Master > >> that is the CA. You need to configure that Puppet master with ca = > >> true. The puppet masters you create need to be configured with ca = > >> false. You can have 300 different puppet masters and each client can > >> connect to the different ones as needed. > > > > > > The thing is, the puppetmasters are exposed to puppet clients via > > loadbalancer, so they actually appear as one puppetmaster, therefore, > they > > all need to have the same CA installed. > > > >> > >> > >> If you need to limit which clients can connect to which puppet masters > >> then you should look at the auth.conf file. > >> > >> As for a web interface around certificate signing, when each client > >> connects into the CA it will submit its request and if autosign is > >> turned off it should be setup to wait for certificate. The web > >> interface can be a wrapper around the puppet cert face so you can get > >> a list of certificates signed and whats waiting to be signed. You can > >> even set it up to revoke or clean out a certificate. You do not need > >> to call to the command line to do this either, you can interface with > >> the puppet api from rubygems. > > > > > > That, again, would require running puppetmaster per user, something I > > really, really want to avoid. > > > >> > >> > >> > >> On Tue, Feb 19, 2013 at 3:15 PM, <[email protected]> wrote: > >> > Dear Felix, > >> > > >> > I think you're getting it wrong, let me clarify it a bit. The goal of > >> > this > >> > is to be able to write web interface for generating puppetmasters > CA's > >> > and > >> > client certificates on demand. An example: install 3 puppetmasters > with > >> > loadbalancer in front. Use web interface to generate CA and > certificates > >> > for > >> > chosen clients (lets say, 10 machines). Deploy such generated CA's on > >> > puppetmasters, and relevant bits on puppet clients to authorize them > >> > against > >> > these puppetmasters. Whenever there's need for change, use that CA > via > >> > web > >> > interface to add and delete client certificates, redeploy them on > >> > puppetmasters and so on. This, while doable via Subprocess functions > >> > (Python > >> > is the language of choice for me, but that doesnt really matters) and > >> > calls > >> > to relevant puppet system commands is extremely ugly and not flexible > >> > solution. I would love to do it via openssl library, but to do so, > I'd > >> > need > >> > to have a workable way to build CA's and sign (and revoke) client > certs > >> > via > >> > openssl command - so far I cant reach that goal. I hope this makes > more > >> > sense now. > >> > > >> > Regards, > >> > S. > >> > > >> > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: > >> >> > >> >> On 02/16/2013 12:20 PM, [email protected] wrote: > >> >> > after creating CA and client cert and applying them to > puppetmaster, > >> >> > it > >> >> > complains with: > >> >> > >> >> Wait, what? You create a new CA, even after agents have already been > >> >> certified, then create new agent certificates? > >> >> > >> >> If your CA changes, you will have to terminate all the (now > deprecated) > >> >> agent certificates and sign new certificates for all agents. > >> >> > >> >> Basically, I would expect the outcome you are observing, and you > should > >> >> just follow the instructions given in your log excerpt. Note that > you > >> >> are *not* supposed to remove the CA from the master, only the copy > of > >> >> the agent's certificate. > >> >> > >> >> HTH, > >> >> Felix > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > To post to this group, send email to [email protected]. > >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To post to this group, send email to > > [email protected]<javascript:>. > > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
