On Friday, November 15, 2013 12:32:45 PM UTC-5, Ken Barber wrote: > > > Although if Puppet itself supported multiple CA bundles, this wouldn't > > happen - I think the fix is more elegant in Puppet as all > > clients/termini/plugins using their HTTP libraries would just work for > > multi-ca without each one having to do its own thing. > > Specifically, if this supported a colon separated list of CA's for > example, or we added a cacert_secondaries option for CA's the > puppetmaster doesn't manage: > > http://docs.puppetlabs.com/references/latest/configuration.html#cacert > > Probably needs a bit more architecture and design though, but > something like this anyway :-). > > Yeah, I see a difference here between the CA that puppet uses to sign things (which I believe that cacert config is referencing?) vs. the certificate authorities that puppet users to validate SSL connections to peers. Obviously in the case where a puppet node is just talking to a puppetmaster, we would expect these CAs to be the same. And if they weren't we would probably want an error (which we get now) since this is likely a misconfiguration.
The idea of puppet communicating with other servers, though, brings up the issue of puppet trusting the SSL certificates those other servers are offering up. For Puppet Dashboard we just don't validate the peer (which probably isn't great) -- I think that was just following recommended install instructions. Obviously for puppetdb it is validating the peer, since the indirector/rest.rb stuff uses a configured http client that is set to care about SSL. Just thinking out loud, perhaps the architectural change here would be to change rest.rb to allow users of that class to specify additional CA certificates. Then puppetdb itself could be configured to use a different ca_file from the one that puppetmaster would use by default. I'm definitely not sure how this should work, but it does seem important to differentiate between these different types/roles of CA for puppetmaster and to support the concept that other servers that simply need to serve stuff over SSL (and not sign node client certs, etc.) will use different CAs. Thanks again - Hans -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d05e001e-8dd1-49ca-bfa7-1f9bd35d3557%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
