On May 23, 2007, at 1:47 PM, Ryan Dooley wrote:
> This is going to sound kind of oddball but would it be possible to
> have
> options for disabling SSL? :-)
It would be difficult, and I don''t think it''s necessary for
what you
want here.
> At some point I''m going to want to move my production puppetmaster
> to a
> newer host and the IP and hostname for the puppetmaster will
> change. I
> have tools to go out and force every client to re-register itself
> with a
> newer puppetmaster but I''d like the ablity to, on the fly, tell
> puppet not
> to concern itself with certification (my networks and hosts, my
> responsibility).
>
> I see that I could probably trick puppet/network/client.rb to think
> that my
> local ruby doesn''t have SSL defined, but I''d rather have
a flag or
> something.
You should be able to pretty easily move servers -- client/server
authentication is based on a single cert trust domain, so as long as
you keep the same CA cert, and thus the same trust domain, you should
be fine.
If you want to do a clen cut-over, move your CA cert to the new
server when you cut over. Otherwise, you can configure the clients
to hit the old server with --caserver <name> until you''re ready
for
the cut-over. In this case, start the new server with --noca so it
doesn''t create a new trust domain.
This is one of the big reasons to use SSL Certs instead of mutual-
trust key pairs like Cfengine and SSH use -- you build a trust
domain, and once you have a key you can talk to anyone. You don''t
have to worry about building trust between individual nodes.
Make sense?
--
The covers of this book are too far apart. -- Ambrose Bierce
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com