Hi all, These problems keep cropping up, and it seems like we need a more comprehensive solution.
The current 'master' branch has permission problems in puppetmasterd (as implied), and it's basically a race condition that shows up again and again. The server needs to do these things: - Create the CA certificate (owned by 'puppet') - Create and sign the host certificate (owned by root) - Read in the host cert and key - Change UIDs to 'puppet' It's far more difficult than one might think to get this all correct, at least in a way that stays correct over multiple releases. In particular, the server doesn't usually attempt to read in its certs until the last minute, far past the time when we've switched to running as 'puppet'. So, even if the cert is already there, the server can't read it. Anyone have any bright ideas for systematically solving this problem? Should we, like we've done with filebuckets and yaml dirs, have separate SSL directories for client and server? This is somewhat problematic, in that we'd need to duplicate the host cert in both locations, and really, the server host cert is the only cert that would be in the server-side cert collection (since the CA is its own collection). Or should we just special-case it all the time in the server, making sure the cert exists and is read in before we chuser? -- Trying to determine what is going on in the world by reading newspapers is like trying to tell the time by watching the second hand of a clock. --Ben Hecht --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
