Is there a way to disable SSL all together for testing? -Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston <chjohnst@gmail.com>wrote:> Is there a way to disable SSL all together for testing?I would use the puppet executable for testing/evaluation. It removes the need to even have a server.> -Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reason I am asking is I am having a bunch of SSL issues in production right now, I need to disable SSL until I get things fixed. On Fri, Mar 12, 2010 at 5:57 PM, Dan Bode <dan@reductivelabs.com> wrote:> > > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston <chjohnst@gmail.com>wrote: > >> Is there a way to disable SSL all together for testing? > > > I would use the puppet executable for testing/evaluation. It removes the > need to even have a server. > > >> -Chris >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/03/10 2:58 PM, Christopher Johnston wrote:> Reason I am asking is I am having a bunch of SSL issues in production > right now, I need to disable SSL until I get things fixed. >You can''t disable SSL as client/server relies on it. What are your issues and perhaps we can solve those? Regards James Turnbull - -- Author of: * Pro Linux System Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS5rh8yFa/lDkFHAyAQIClQf+JQgwCOysBUQmXP6bgNFPE8K5lFYrof/H BHCh25Zqo7OtTBVZk47xTOAdyFdz3Vfy4Xm91SHepzeYycUyRfH09I8erxF5bF7A 7j2SDsat68IVVcLosGYPzaoDo0FTxcOCrcBHIU7QspO/yD4/XFhwtirwH4V0X7yC hVQxZQObGdijTPZwklxtCdBlqqIm0d8vEw+7g+oh9dU/wYe/X4H5P1ZAA834Vuki rskBOnkKWMtiGujJ29Uu50ZtWLpIRrysdPeCNaaJzRFdxkShWZXoIsTJk54L/ZDA 8q5c+xAyizfE9CQxrCJdsSXuGhovQ+dNU4lKozT5vTaAghGOHFarYg==lvIA -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, 12 Mar 2010, Christopher Johnston wrote:> Reason I am asking is I am having a bunch of SSL issues in production right > now, I need to disable SSL until I get things fixed.As a workaround, perhaps you could use the standalone compile/apply feature (new in 0.25); see <http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply>. --apb (Alan Barrett) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sorry for the late response. That feature looks attractive, but not feasible at this state. I am still running .24 version of puppet which is working great (although performance could be slightly better!) and I wasn''t looking to do an upgrade to .25 for at least a month or two as bugs iron out. Essentially my setup consists of a central git server and a puppetmaster in our main site. In my remote locations I have two puppetmasters running in a cluster using a VIP for its IP address. Since the physical hostname could potentially change during a failover situation along with the keys not being there (I could put the ssl certs on shared storage or sync them from hostA to hostB via rsnapshot via cron) I will end up running into issues with the certs. The question I have is what is the best way to manage SSL certs in a more distributed fashion by using a shared certificate. I don''t want to rely on a single instance of puppetmasterd to provide certs as that is a SPOF to me and since my remote sites are distant on the network my preference is to use the local hostA and hostB servers as puppetmasters and ssl servers with direct git clones (git pull when a major commit is tested in development/lab). I also use autosign so certs get created on demand. -Chris On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <apb@cequrux.com> wrote:> On Fri, 12 Mar 2010, Christopher Johnston wrote: > > Reason I am asking is I am having a bunch of SSL issues in production > right > > now, I need to disable SSL until I get things fixed. > > As a workaround, perhaps you could use the > standalone compile/apply feature (new in 0.25); see > < > http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply > >. > > --apb (Alan Barrett) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston <chjohnst@gmail.com> wrote:> Sorry for the late response. That feature looks attractive, but not > feasible at this state. I am still running .24 version of puppet which is > working great (although performance could be slightly better!) and I wasn''t > looking to do an upgrade to .25 for at least a month or two as bugs iron > out. > > Essentially my setup consists of a central git server and a puppetmaster in > our main site. In my remote locations I have two puppetmasters running in a > cluster using a VIP for its IP address. Since the physical hostname could > potentially change during a failover situation along with the keys not being > there (I could put the ssl certs on shared storage or sync them from hostA > to hostB via rsnapshot via cron) I will end up running into issues with the > certs.Are you using environments with this setup? You''re going to have undesirable side effects if you are with 0.24.x and a VIP.> The question I have is what is the best way to manage SSL certs in a more > distributed fashion by using a shared certificate. I don''t want to rely on > a single instance of puppetmasterd to provide certs as that is a SPOF to me > and since my remote sites are distant on the network my preference is to use > the local hostA and hostB servers as puppetmasters and ssl servers with > direct git clones (git pull when a major commit is tested in > development/lab). I also use autosign so certs get created on demand.Is a subject altname on the SSL cert with wildcards for your domain acceptable?> > -Chris > > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <apb@cequrux.com> wrote: >> >> On Fri, 12 Mar 2010, Christopher Johnston wrote: >> > Reason I am asking is I am having a bunch of SSL issues in production >> > right >> > now, I need to disable SSL until I get things fixed. >> >> As a workaround, perhaps you could use the >> standalone compile/apply feature (new in 0.25); see >> >> <http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply>. >> >> --apb (Alan Barrett) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
No I am not using environments with this setup, curious on how that would make a difference if the module base is identical for all of my production hosts. By using a subject altname on the cert would that allow for a distributed certificate for all my hosts in that specific environment. Since each datacenter has its own two puppetmasters they also have their own dns domain suffix so that could work. On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <nigelk@google.com> wrote:> On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > Sorry for the late response. That feature looks attractive, but not > > feasible at this state. I am still running .24 version of puppet which > is > > working great (although performance could be slightly better!) and I > wasn''t > > looking to do an upgrade to .25 for at least a month or two as bugs iron > > out. > > > > Essentially my setup consists of a central git server and a puppetmaster > in > > our main site. In my remote locations I have two puppetmasters running > in a > > cluster using a VIP for its IP address. Since the physical hostname > could > > potentially change during a failover situation along with the keys not > being > > there (I could put the ssl certs on shared storage or sync them from > hostA > > to hostB via rsnapshot via cron) I will end up running into issues with > the > > certs. > > Are you using environments with this setup? You''re going to have > undesirable side effects if you are with 0.24.x and a VIP. > > > > The question I have is what is the best way to manage SSL certs in a more > > distributed fashion by using a shared certificate. I don''t want to rely > on > > a single instance of puppetmasterd to provide certs as that is a SPOF to > me > > and since my remote sites are distant on the network my preference is to > use > > the local hostA and hostB servers as puppetmasters and ssl servers with > > direct git clones (git pull when a major commit is tested in > > development/lab). I also use autosign so certs get created on demand. > > Is a subject altname on the SSL cert with wildcards for your domain > acceptable? > > > > > -Chris > > > > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <apb@cequrux.com> wrote: > >> > >> On Fri, 12 Mar 2010, Christopher Johnston wrote: > >> > Reason I am asking is I am having a bunch of SSL issues in production > >> > right > >> > now, I need to disable SSL until I get things fixed. > >> > >> As a workaround, perhaps you could use the > >> standalone compile/apply feature (new in 0.25); see > >> > >> < > http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply > >. > >> > >> --apb (Alan Barrett) > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > nigel > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, Mar 13, 2010 at 11:33 AM, Christopher Johnston <chjohnst@gmail.com> wrote:> No I am not using environments with this setup, curious on how that would > make a difference if the module base is identical for all of my production > hosts.This probably explains it better. http://projects.reductivelabs.com/issues/1557 The point is exactly that the module base isn''t the same for different environments.> > By using a subject altname on the cert would that allow for a distributed > certificate for all my hosts in that specific environment. Since each > datacenter has its own two puppetmasters they also have their own dns > domain suffix so that could work.> > On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <nigelk@google.com> wrote: >> >> On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston >> <chjohnst@gmail.com> wrote: >> > Sorry for the late response. That feature looks attractive, but not >> > feasible at this state. I am still running .24 version of puppet which >> > is >> > working great (although performance could be slightly better!) and I >> > wasn''t >> > looking to do an upgrade to .25 for at least a month or two as bugs iron >> > out. >> > >> > Essentially my setup consists of a central git server and a puppetmaster >> > in >> > our main site. In my remote locations I have two puppetmasters running >> > in a >> > cluster using a VIP for its IP address. Since the physical hostname >> > could >> > potentially change during a failover situation along with the keys not >> > being >> > there (I could put the ssl certs on shared storage or sync them from >> > hostA >> > to hostB via rsnapshot via cron) I will end up running into issues with >> > the >> > certs. >> >> Are you using environments with this setup? You''re going to have >> undesirable side effects if you are with 0.24.x and a VIP. >> >> >> > The question I have is what is the best way to manage SSL certs in a >> > more >> > distributed fashion by using a shared certificate. I don''t want to rely >> > on >> > a single instance of puppetmasterd to provide certs as that is a SPOF to >> > me >> > and since my remote sites are distant on the network my preference is to >> > use >> > the local hostA and hostB servers as puppetmasters and ssl servers with >> > direct git clones (git pull when a major commit is tested in >> > development/lab). I also use autosign so certs get created on demand. >> >> Is a subject altname on the SSL cert with wildcards for your domain >> acceptable? >> >> > >> > -Chris >> > >> > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <apb@cequrux.com> wrote: >> >> >> >> On Fri, 12 Mar 2010, Christopher Johnston wrote: >> >> > Reason I am asking is I am having a bunch of SSL issues in production >> >> > right >> >> > now, I need to disable SSL until I get things fixed. >> >> >> >> As a workaround, perhaps you could use the >> >> standalone compile/apply feature (new in 0.25); see >> >> >> >> >> >> <http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply>. >> >> >> >> --apb (Alan Barrett) >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users+unsubscribe@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> > >> >> >> >> -- >> nigel >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you front Puppet with Apache per the Mongrel instructions and set the SSLCipherSuite to ''NULL'' in Apache, then it will turn off all encryption. Trevor On 03/12/2010 05:57 PM, Dan Bode wrote:> > > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston > <chjohnst@gmail.com <mailto:chjohnst@gmail.com>> wrote: > > Is there a way to disable SSL all together for testing? > > > I would use the puppet executable for testing/evaluation. It removes the > need to even have a server. > > > -Chris > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.- -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaughan@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 =qTaN -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yea right now I am not using environments, I would like to move to either passenger or mongrel for a more scalable setup (although I have heard mongrel has issue with memory leaks). On Sun, Mar 14, 2010 at 1:53 PM, Nigel Kersten <nigel@explanatorygap.net>wrote:> On Sat, Mar 13, 2010 at 11:33 AM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > No I am not using environments with this setup, curious on how that would > > make a difference if the module base is identical for all of my > production > > hosts. > > This probably explains it better. > > http://projects.reductivelabs.com/issues/1557 > > The point is exactly that the module base isn''t the same for different > environments. > > > > > By using a subject altname on the cert would that allow for a distributed > > certificate for all my hosts in that specific environment. Since each > > datacenter has its own two puppetmasters they also have their own dns > > domain suffix so that could work. > > > > > > > On Sat, Mar 13, 2010 at 11:47 AM, Nigel Kersten <nigelk@google.com> > wrote: > >> > >> On Sat, Mar 13, 2010 at 8:43 AM, Christopher Johnston > >> <chjohnst@gmail.com> wrote: > >> > Sorry for the late response. That feature looks attractive, but not > >> > feasible at this state. I am still running .24 version of puppet > which > >> > is > >> > working great (although performance could be slightly better!) and I > >> > wasn''t > >> > looking to do an upgrade to .25 for at least a month or two as bugs > iron > >> > out. > >> > > >> > Essentially my setup consists of a central git server and a > puppetmaster > >> > in > >> > our main site. In my remote locations I have two puppetmasters > running > >> > in a > >> > cluster using a VIP for its IP address. Since the physical hostname > >> > could > >> > potentially change during a failover situation along with the keys not > >> > being > >> > there (I could put the ssl certs on shared storage or sync them from > >> > hostA > >> > to hostB via rsnapshot via cron) I will end up running into issues > with > >> > the > >> > certs. > >> > >> Are you using environments with this setup? You''re going to have > >> undesirable side effects if you are with 0.24.x and a VIP. > >> > >> > >> > The question I have is what is the best way to manage SSL certs in a > >> > more > >> > distributed fashion by using a shared certificate. I don''t want to > rely > >> > on > >> > a single instance of puppetmasterd to provide certs as that is a SPOF > to > >> > me > >> > and since my remote sites are distant on the network my preference is > to > >> > use > >> > the local hostA and hostB servers as puppetmasters and ssl servers > with > >> > direct git clones (git pull when a major commit is tested in > >> > development/lab). I also use autosign so certs get created on demand. > >> > >> Is a subject altname on the SSL cert with wildcards for your domain > >> acceptable? > >> > >> > > >> > -Chris > >> > > >> > On Sat, Mar 13, 2010 at 5:50 AM, Alan Barrett <apb@cequrux.com> > wrote: > >> >> > >> >> On Fri, 12 Mar 2010, Christopher Johnston wrote: > >> >> > Reason I am asking is I am having a bunch of SSL issues in > production > >> >> > right > >> >> > now, I need to disable SSL until I get things fixed. > >> >> > >> >> As a workaround, perhaps you could use the > >> >> standalone compile/apply feature (new in 0.25); see > >> >> > >> >> > >> >> < > http://reductivelabs.com/trac/puppet/wiki/ReleaseNotes#command-line-compile-apply > >. > >> >> > >> >> --apb (Alan Barrett) > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "Puppet Users" group. > >> >> To post to this group, send email to puppet-users@googlegroups.com. > >> >> To unsubscribe from this group, send email to > >> >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > >> >> For more options, visit this group at > >> >> http://groups.google.com/group/puppet-users?hl=en. > >> >> > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To post to this group, send email to puppet-users@googlegroups.com. > >> > To unsubscribe from this group, send email to > >> > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > >> > For more options, visit this group at > >> > http://groups.google.com/group/puppet-users?hl=en. > >> > > >> > >> > >> > >> -- > >> nigel > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I will keep that in mind, ideally I would like to keep SSL in place for security purposes I was really looking for a quick hack/slash to disable SSL for the time being just to get past some auth issues. Longer term though from a scalability POV, I will in the end have over 24-30 puppetmasters across my environment in various datacenters so SSL management, redundancy and performance are some big concerns. What is the preferred approach to handling this? Seems mongrel is the preferred setup? or passenger? -Chris On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you front Puppet with Apache per the Mongrel instructions and set the > SSLCipherSuite to ''NULL'' in Apache, then it will turn off all encryption. > > Trevor > > On 03/12/2010 05:57 PM, Dan Bode wrote: > > > > > > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston > > <chjohnst@gmail.com <mailto:chjohnst@gmail.com>> wrote: > > > > Is there a way to disable SSL all together for testing? > > > > > > I would use the puppet executable for testing/evaluation. It removes the > > need to even have a server. > > > > > > -Chris > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com > > <mailto:puppet-users@googlegroups.com>. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > <mailto:puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > >. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: tvaughan@onyxpoint.com > phone: 410-541-ONYX (6699) > > - -- This account not approved for unencrypted sensitive information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD > 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 > =qTaN > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
ssl has nothing to do with mongrel or passenger, as ssl is handled in apache (or ngnix). as far as it goes for SSL, you have two options: 1. a single CA 2. CA chain hierarchy. the first option is simple, one of your puppetmasters will be your CA, and every sign will run on it, you would require it for any new certs that are introduced to your setup. the second option works as well, and is described at http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalabilityunder Centralised_Puppet_Infrastructure if you can afford using a single machine for signing your certs, I would recommend you going to option 1 (as someone using option 2 for a few years now). Cheers, Ohad On Mon, Mar 15, 2010 at 11:10 PM, Christopher Johnston <chjohnst@gmail.com>wrote:> I will keep that in mind, ideally I would like to keep SSL in place for > security purposes I was really looking for a quick hack/slash to disable SSL > for the time being just to get past some auth issues. > > Longer term though from a scalability POV, I will in the end have over > 24-30 puppetmasters across my environment in various datacenters so SSL > management, redundancy and performance are some big concerns. > > What is the preferred approach to handling this? Seems mongrel is the > preferred setup? or passenger? > > -Chris > > > On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> If you front Puppet with Apache per the Mongrel instructions and set the >> SSLCipherSuite to ''NULL'' in Apache, then it will turn off all encryption. >> >> Trevor >> >> On 03/12/2010 05:57 PM, Dan Bode wrote: >> > >> > >> > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston >> > <chjohnst@gmail.com <mailto:chjohnst@gmail.com>> wrote: >> > >> > Is there a way to disable SSL all together for testing? >> > >> > >> > I would use the puppet executable for testing/evaluation. It removes the >> > need to even have a server. >> > >> > >> > -Chris >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com >> > <mailto:puppet-users@googlegroups.com>. >> > To unsubscribe from this group, send email to >> > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> > <mailto:puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> >> >. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> >> - -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc. >> email: tvaughan@onyxpoint.com >> phone: 410-541-ONYX (6699) >> >> - -- This account not approved for unencrypted sensitive information -- >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD >> 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 >> =qTaN >> -----END PGP SIGNATURE----- >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mar 15, 2010, at 8:26 AM, Ohad Levy wrote:> ssl has nothing to do with mongrel or passenger, as ssl is handled in apache (or ngnix). > > as far as it goes for SSL, you have two options: > 1. a single CA > 2. CA chain hierarchy. > > the first option is simple, one of your puppetmasters will be your CA, and every sign will run on it, you would require it for any new certs that are introduced to your setup. > > the second option works as well, and is described at http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalability under Centralised_Puppet_InfrastructureWhat about creating one certificate authority using puppet and then manually copying to all the servers as a temporary solution? The two problems I see are: 1) The CRL doesn''t work due to duplicate serial numbers. 2) Not having the server''s real name in the root might be a problem if all your clients don''t use just puppet for the hostname. Is this actually likely to work?> if you can afford using a single machine for signing your certs, I would recommend you going to option 1 (as someone using option 2 for a few years now). > > Cheers, > Ohad-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yes, I am aware that by going with mongrel/passenger as it will be handled by mod_ssl. I setup mongrel in my lab today, didn''t take much to get going (puppet wiki was VERY helpful). Unfortunately passenger doesn''t look to be packaged up other then in a gem (didn''t investigate further then a quick check). I am not sure option 1) would be the best thing for me to use considering I have very diverse environment that scales out to quite a few datacenters. That seems like it would be a single point of failure for me in the event the SSL server cannot be reached (network outage, power, etc). I run a stateless environment that has a pretty big production dependency on puppet. I think I may look into option 2) with a CA chain hierarchy (using the wiki centralised puppet infrastructure setup on the wiki). More to come tomorrow if I get stuck! -Chris On Mon, Mar 15, 2010 at 11:26 AM, Ohad Levy <ohadlevy@gmail.com> wrote:> ssl has nothing to do with mongrel or passenger, as ssl is handled in > apache (or ngnix). > > as far as it goes for SSL, you have two options: > 1. a single CA > 2. CA chain hierarchy. > > the first option is simple, one of your puppetmasters will be your CA, and > every sign will run on it, you would require it for any new certs that are > introduced to your setup. > > the second option works as well, and is described at > http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalabilityunder Centralised_Puppet_Infrastructure > > if you can afford using a single machine for signing your certs, I > would recommend you going to option 1 (as someone using option 2 for a few > years now). > > Cheers, > Ohad > > On Mon, Mar 15, 2010 at 11:10 PM, Christopher Johnston <chjohnst@gmail.com > > wrote: > >> I will keep that in mind, ideally I would like to keep SSL in place for >> security purposes I was really looking for a quick hack/slash to disable SSL >> for the time being just to get past some auth issues. >> >> Longer term though from a scalability POV, I will in the end have over >> 24-30 puppetmasters across my environment in various datacenters so SSL >> management, redundancy and performance are some big concerns. >> >> What is the preferred approach to handling this? Seems mongrel is the >> preferred setup? or passenger? >> >> -Chris >> >> >> On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> If you front Puppet with Apache per the Mongrel instructions and set the >>> SSLCipherSuite to ''NULL'' in Apache, then it will turn off all encryption. >>> >>> Trevor >>> >>> On 03/12/2010 05:57 PM, Dan Bode wrote: >>> > >>> > >>> > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston >>> > <chjohnst@gmail.com <mailto:chjohnst@gmail.com>> wrote: >>> > >>> > Is there a way to disable SSL all together for testing? >>> > >>> > >>> > I would use the puppet executable for testing/evaluation. It removes >>> the >>> > need to even have a server. >>> > >>> > >>> > -Chris >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> > Groups "Puppet Users" group. >>> > To post to this group, send email to puppet-users@googlegroups.com >>> > <mailto:puppet-users@googlegroups.com>. >>> > To unsubscribe from this group, send email to >>> > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >>> > <mailto:puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> >>> >. >>> > For more options, visit this group at >>> > http://groups.google.com/group/puppet-users?hl=en. >>> > >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> > Groups "Puppet Users" group. >>> > To post to this group, send email to puppet-users@googlegroups.com. >>> > To unsubscribe from this group, send email to >>> > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >>> . >>> > For more options, visit this group at >>> > http://groups.google.com/group/puppet-users?hl=en. >>> >>> - -- >>> Trevor Vaughan >>> Vice President, Onyx Point, Inc. >>> email: tvaughan@onyxpoint.com >>> phone: 410-541-ONYX (6699) >>> >>> - -- This account not approved for unencrypted sensitive information -- >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.9 (GNU/Linux) >>> >>> iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD >>> 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 >>> =qTaN >>> -----END PGP SIGNATURE----- >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
If you''re using Red Hat/Fedora flavors of Linux, you can use Kanarip''s Repository to get mod_passenger and other rubygem rpm repackagings - http://www.kanarip.com/custom/ On 3/15/10 6:14 PM, Christopher Johnston wrote:> Yes, I am aware that by going with mongrel/passenger as it will be > handled by mod_ssl. I setup mongrel in my lab today, didn''t take much > to get going (puppet wiki was VERY helpful). Unfortunately passenger > doesn''t look to be packaged up other then in a gem (didn''t investigate > further then a quick check). > > I am not sure option 1) would be the best thing for me to use > considering I have very diverse environment that scales out to quite a > few datacenters. That seems like it would be a single point of > failure for me in the event the SSL server cannot be reached (network > outage, power, etc). I run a stateless environment that has a pretty > big production dependency on puppet. > > I think I may look into option 2) with a CA chain hierarchy (using the > wiki centralised puppet infrastructure setup on the wiki). More to > come tomorrow if I get stuck! > > -Chris > > > > On Mon, Mar 15, 2010 at 11:26 AM, Ohad Levy <ohadlevy@gmail.com > <mailto:ohadlevy@gmail.com>> wrote: > > ssl has nothing to do with mongrel or passenger, as ssl is handled > in apache (or ngnix). > > as far as it goes for SSL, you have two options: > 1. a single CA > 2. CA chain hierarchy. > > the first option is simple, one of your puppetmasters will be your > CA, and every sign will run on it, you would require it for any > new certs that are introduced to your setup. > > the second option works as well, and is described at > http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalability > under Centralised_Puppet_Infrastructure > > if you can afford using a single machine for signing your certs, I > would recommend you going to option 1 (as someone using option 2 > for a few years now). > > Cheers, > Ohad > > On Mon, Mar 15, 2010 at 11:10 PM, Christopher Johnston > <chjohnst@gmail.com <mailto:chjohnst@gmail.com>> wrote: > > I will keep that in mind, ideally I would like to keep SSL in > place for security purposes I was really looking for a quick > hack/slash to disable SSL for the time being just to get past > some auth issues. > > Longer term though from a scalability POV, I will in the end > have over 24-30 puppetmasters across my environment in various > datacenters so SSL management, redundancy and performance are > some big concerns. > > What is the preferred approach to handling this? Seems > mongrel is the preferred setup? or passenger? > > -Chris > > > On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan > <tvaughan@onyxpoint.com <mailto:tvaughan@onyxpoint.com>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you front Puppet with Apache per the Mongrel > instructions and set the > SSLCipherSuite to ''NULL'' in Apache, then it will turn off > all encryption. > > Trevor > > On 03/12/2010 05:57 PM, Dan Bode wrote: > > > > > > On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston > > <chjohnst@gmail.com <mailto:chjohnst@gmail.com> > <mailto:chjohnst@gmail.com <mailto:chjohnst@gmail.com>>> > wrote: > > > > Is there a way to disable SSL all together for testing? > > > > > > I would use the puppet executable for > testing/evaluation. It removes the > > need to even have a server. > > > > > > -Chris > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com> > > <mailto:puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>>. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com> > > <mailto:puppet-users%2Bunsubscribe@googlegroups.com > <mailto:puppet-users%252Bunsubscribe@googlegroups.com>>. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > > You received this message because you are subscribed to > the Google > > Groups "Puppet Users" group. > > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: tvaughan@onyxpoint.com <mailto:tvaughan@onyxpoint.com> > phone: 410-541-ONYX (6699) > > - -- This account not approved for unencrypted sensitive > information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD > 6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7 > =qTaN > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to > the Google Groups "Puppet Users" group. > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the > Google Groups "Puppet Users" group. > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.