Re: [Puppet Users] puppet CA expired
On Mon, Jun 27, 2011 at 4:52 PM, j...@squirk.org wrote: > Le 16/06/2011 20:12, Nathan Clemons a écrit : >> Thanks. I think having to go out across the board once every 5 years >> is quite acceptable, although advance warning from the master that >> it's going to happen would definitely be a good thing. >> >> Jean: Kudos to running Puppet for 5 years! :) >> > > yes i was planning to install cfengine when the first puppet appeard, i > really liked the way of thinking of the creator that seemed to me a very > good approach of the issue so i jumped in. > > as i needed to make change to all the nodes i simply recreated a 20year > CA and got to everynode removing the ssl certs and sign again all nodes > on the master. If someone knows how to spot a client coming to puppet > and failing the ssl handcheck it would help a lot to spot the one i > missed out if any ! :) > one simple way is simply to look at foreman puppet certificate list. you can also query it via the api, and evaluate the certificate expire date. Ohad > > regards, > Jean. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
If you keep your nodes in a nodes.pp file, and you are logging nodes as they check in, you can run a little script that I run from time to time to find nodes that have stopped communicating: #!/bin/bash tail -2 /var/log/messages | grep "Compiled catalog for " | tr -s " " | cut -f 9 -d " " | cut -f 1 -d "." | sort | uniq > /tmp/nodes_checked_in cat /etc/puppet/manifests/nodes.pp | cut -f 2 -d "'" | cut -f 1 -d "." | sort | uniq > /tmp/nodes_expected echo "< nodes checked in, but not expected ... > nodes expected, but not checked in." diff /tmp/nodes_checked_in /tmp/nodes_expected | grep "[<>]" | sort ~Charles~ On Mon, Jun 27, 2011 at 8:52 AM, j...@squirk.org wrote: > Le 16/06/2011 20:12, Nathan Clemons a écrit : > > Thanks. I think having to go out across the board once every 5 years > > is quite acceptable, although advance warning from the master that > > it's going to happen would definitely be a good thing. > > > > Jean: Kudos to running Puppet for 5 years! :) > > > > yes i was planning to install cfengine when the first puppet appeard, i > really liked the way of thinking of the creator that seemed to me a very > good approach of the issue so i jumped in. > > as i needed to make change to all the nodes i simply recreated a 20year > CA and got to everynode removing the ssl certs and sign again all nodes > on the master. If someone knows how to spot a client coming to puppet > and failing the ssl handcheck it would help a lot to spot the one i > missed out if any ! :) > > > regards, > Jean. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
Le 16/06/2011 20:12, Nathan Clemons a écrit : > Thanks. I think having to go out across the board once every 5 years > is quite acceptable, although advance warning from the master that > it's going to happen would definitely be a good thing. > > Jean: Kudos to running Puppet for 5 years! :) > yes i was planning to install cfengine when the first puppet appeard, i really liked the way of thinking of the creator that seemed to me a very good approach of the issue so i jumped in. as i needed to make change to all the nodes i simply recreated a 20year CA and got to everynode removing the ssl certs and sign again all nodes on the master. If someone knows how to spot a client coming to puppet and failing the ssl handcheck it would help a lot to spot the one i missed out if any ! :) regards, Jean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] puppet CA expired
> [master] > ca_ttl = 20y Neat trick. By the time it expires you'll be gone! :P -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Thu, Jun 16, 2011 at 11:12 AM, Nathan Clemons wrote: > Thanks. I think having to go out across the board once every 5 years is > quite acceptable, although advance warning from the master that it's going > to happen would definitely be a good thing. > > Jean: Kudos to running Puppet for 5 years! :) > > As an FYI, 5years is the default. When you initially create a CA, you may use the ca_ttl setting to extend this longer. [master] ca_ttl = 20y -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
Thanks. I think having to go out across the board once every 5 years is quite acceptable, although advance warning from the master that it's going to happen would definitely be a good thing. Jean: Kudos to running Puppet for 5 years! :) -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Thu, Jun 16, 2011 at 11:09 AM, Jacob Helwig wrote: > 5 years, IIRC. > > -- > Jacob Helwig > > On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons wrote: > > > > What's the length of time on the CA cert? > > > > On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig > wrote: > > > > > On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: > > > > > > > > hi, > > > > > > > > my puppet CA expired. Anyone knows how to solve the problem and > extend > > > > the validity of the CA ? I mean without recreating one and going on > each > > > > node to change the certs (that is what puppet is made to prevent, > going > > > > to each node ^^) > > > > > > > > > > Pretty sure you can't actually extend the validity of the CA cert. > > > > > > Unfortunately, I don't think there's much that can be done at this > point > > > without touching each node. > > > > > > I did open up #7962[1] so we can work out exactly what the safety net > > > should look like to help prevent this from happening to other people. > > > > > > [1] http://projects.puppetlabs.com/issues/7962 > > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQGcBAEBAgAGBQJN+kbcAAoJEHJabXWGiqEBIgAL/0RX6X/eUll4EZCCZWWaEdby > +fL9LQvyEPV/IiKeafpbn3Kct3FKIFEgMWOH7xubgp0x36u7jMCmDh4MXiFGOEPL > BzNyLxPhkTQPG6Ml44INaiQ6wshdIlqFe3HfjtxlQZP/CSVBbPMBIcVwpgaAA6n8 > sJidtfSYPfltbaRB2XMKpIg+ltMG4SEJvCndPBumPZjbrOKsOd4HHcL4MGdp7ump > ryPj2E9+PXFZ/TZ+oNPSn30v0fX1om/UCHqUelkr6/SJls9P68VWsM7hVIB5Jc4P > 3MwhBWHOzKV+8C7KZsQcUW3qywRCIF3Rb/APM8Ikol7A/fMYQJYvD5QgeVBygoPx > jwoPoIZAVaxuCXMyOvvaPegsoc0qAk09RlYQXX8EhzwM7NyiatTVojQCZTfecEnO > diDRs5U/rpjZ2gxrMIGkJMImRKGIDl9e7D+ez1IwY0XyR6b2vYbroeKP8PTG/L/C > PU6U6MQnzLQ6Eovl+JOifRVZA3+U1nCxNK3ErAopvw== > =mnf2 > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
5 years, IIRC. -- Jacob Helwig On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons wrote: > > What's the length of time on the CA cert? > > On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig wrote: > > > On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: > > > > > > hi, > > > > > > my puppet CA expired. Anyone knows how to solve the problem and extend > > > the validity of the CA ? I mean without recreating one and going on each > > > node to change the certs (that is what puppet is made to prevent, going > > > to each node ^^) > > > > > > > Pretty sure you can't actually extend the validity of the CA cert. > > > > Unfortunately, I don't think there's much that can be done at this point > > without touching each node. > > > > I did open up #7962[1] so we can work out exactly what the safety net > > should look like to help prevent this from happening to other people. > > > > [1] http://projects.puppetlabs.com/issues/7962 > > signature.asc Description: Digital signature
Re: [Puppet Users] puppet CA expired
What's the length of time on the CA cert? -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig wrote: > On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: > > > > hi, > > > > my puppet CA expired. Anyone knows how to solve the problem and extend > > the validity of the CA ? I mean without recreating one and going on each > > node to change the certs (that is what puppet is made to prevent, going > > to each node ^^) > > > > > > regards, > > Jean. > > > > Pretty sure you can't actually extend the validity of the CA cert. > > Unfortunately, I don't think there's much that can be done at this point > without touching each node. > > I did open up #7962[1] so we can work out exactly what the safety net > should look like to help prevent this from happening to other people. > > [1] http://projects.puppetlabs.com/issues/7962 > > -- > Jacob Helwig > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQGcBAEBAgAGBQJN+kAOAAoJEHJabXWGiqEBAQ8L/RVhorA/f49gilPW26X82BID > aGYWFajNg5oBI1OtrieA9J//qNe9HRUUy8xWhq+S+B69FoQ4hU6ocfTH1eXDB8BN > NM1rwuuqLpTvn1Gguxs3qTMPNyUEqMwugesH1XE7MOUH7XE10SgWqZwBpVpiJBPe > cMctwUbgN6CfLD1F+wWKfuv9n1L4NvS5AcXj2WjgHbAjAAZx50m3gGIni5U6gF4+ > GTRRxABtAEv0atsvUUO8kxecBhR1N+ZCbQAhk5PcJnKD5CW+7vqxxoC+K0D7BZNZ > bRKk69IyG/ZFZnMbnzPNdYY2Ol9HE4ClnyydUq7r4uNdG5DbLg5sCPSgZXgAJRzt > l5N3k4uNSWmnRco5zFmRAxV7YfzSu6o8ZueC07yiu8EeGDpEVWPg29esqUSm7Uqw > 47s2uENGJ2mRr/NfN96YsMjPm2+leKUa37/YcQTdfswdQdkCNGyt/kt5fmncSnYX > n2DwQ1CmHNQp1gf3wUzSqsIJmlEBKfgSQnTbIyAHBQ== > =oopZ > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Tue, 14 Jun 2011 17:01:20 +0200, j...@squirk.org wrote: > > hi, > > my puppet CA expired. Anyone knows how to solve the problem and extend > the validity of the CA ? I mean without recreating one and going on each > node to change the certs (that is what puppet is made to prevent, going > to each node ^^) > > > regards, > Jean. > Pretty sure you can't actually extend the validity of the CA cert. Unfortunately, I don't think there's much that can be done at this point without touching each node. I did open up #7962[1] so we can work out exactly what the safety net should look like to help prevent this from happening to other people. [1] http://projects.puppetlabs.com/issues/7962 -- Jacob Helwig signature.asc Description: Digital signature
