Hi, I''ve just started using puppet and I have a couple of questions about the SSL capabilities. 1) Can I use my own certs or do I have to use the ones provided by puppetmaster? 2) How can I set the "Not Before" time to be now instead of a few hours from now? Thanks! ____________________________________________________________________________________ It''s here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Wed, Jan 17, 2007 at 11:53:12AM -0800, Robert Mombro wrote:> I''ve just started using puppet and I have a couple of questions about the SSL capabilities. > > 1) Can I use my own certs or do I have to use the ones provided by > puppetmaster?You can use your own. Just drop the relevant files into the correct locations and everything works nicely.> 2) How can I set the "Not Before" time to be now instead of a few hours > from now?The ''Not Before'' time works fine for me. Do you perhaps have timezone or clock setting issues? - Matt
Matt, Thanks for the reply. So, if I wanted to completely move away from using the puppet CA, could I? It appears to me that whenever puppet detects a discrepancy with part of the CA structure, including the certs, it regenerates the offending portions. For instance, I had my hostname set to puppet and the cert was generated as I wanted it. When I then changed the local hostname to test, the certificate was regenerated for test even though the DNS entry for the IP was set at puppet. On the timezone issue: It may be the case that puppet is generating off of GMT and I have my /etc/timezone file set to a different time. That might explain the difference. Does puppet use the native system time or the GMT offset? Thank you, -- Rob -- ----- Original Message ---- From: Matthew Palmer <mpalmer@hezmatt.org> To: puppet-users@madstop.com Sent: Wednesday, January 17, 2007 4:45:14 PM Subject: Re: [Puppet-users] SSL Questions On Wed, Jan 17, 2007 at 11:53:12AM -0800, Robert Mombro wrote:> I''ve just started using puppet and I have a couple of questions about the SSL capabilities. > > 1) Can I use my own certs or do I have to use the ones provided by > puppetmaster?You can use your own. Just drop the relevant files into the correct locations and everything works nicely.> 2) How can I set the "Not Before" time to be now instead of a few hours > from now?The ''Not Before'' time works fine for me. Do you perhaps have timezone or clock setting issues? - Matt _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Thu, Jan 18, 2007 at 05:22:51AM -0800, Robert Mombro wrote:> So, if I wanted to completely move away from using the puppet CA, could I?Yes.> For instance, I had my hostname set to puppet and the cert was generated > as I wanted it. When I then changed the local hostname to test, the > certificate was regenerated for test even though the DNS entry for the IP > was set at puppet.Puppet uses the ''hostname'' and ''domain'' facts to determine the certificate name it needs. If you change hostname, though, Puppet thinks it needs a different certificate. There''s a lot of code involved in working out those values (see facter.rb), so facter may or may not be extracting that info from DNS or other sources.> On the timezone issue: It may be the case that puppet is generating off > of GMT and I have my /etc/timezone file set to a different time. That > might explain the difference. Does puppet use the native system time or > the GMT offset?I have no idea what you''re asking here. Shouldn''t the system time and the time obtained by taking UTC and adding the "GMT offset" be the same thing? All I know is that, if your clock is wrong, then your certs get stuffed up. Seen it here a bunch of times, since the clock is synced using NTP (I *heart* NTP), NTP is installed using Puppet, and Puppet generates certs that include the clock time, which isn''t guaranteed to be right until it gets synced using NTP, but NTP is installed by Puppet... and so forth. Most frustrating failure: The local install idio^Wtech set the clock on a machine during install (through the BIOS), but "accidentally" set the year to next year (though everything else was correct). Puppet wasn''t playing SSL ball, so we examined the cert by hand, and saw that the date/time was right on (we get that sort of problem regularly enough) -- until we looked closer at the year... - Matt -- When all you have is a nailgun, every problem looks like a messiah. -- Iain Chalmers, ASR