Hi, Does anyone know how, why, and which part of puppet might decide to regenerate /etc/puppet/ssl/ca/private/ca.pass on a puppet master? We had a problem recently with that file mysteriously changing its contents so that puppetmaster could not open the CA key anymore (so cert signing failed). We think it was a user error, but are wondering what one would have to actually do to generate a new password without affecting the certificate or key files. -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ Please consider the environment before printing this email This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 22, 2008, at 5:35 AM, Marcin Owsiany wrote:> Hi, > > Does anyone know how, why, and which part of puppet might decide to > regenerate /etc/puppet/ssl/ca/private/ca.pass on a puppet master?The only bit of code that could ever generate a password is this: unless FileTest.exists?(@config[:cacert]) @config[:password] = self.genpass end So, theoretically, the only way this could happen is if you removed the CA certificate. It sounds like that''s not happening to you, though, so I''m kinda out of ideas. -- The most dangerous strategy is to jump a chasm in two leaps. -- Benjamin Disraeli --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Tue, Apr 22, 2008 at 09:20:15AM -0500, Luke Kanies wrote:> > On Apr 22, 2008, at 5:35 AM, Marcin Owsiany wrote: > > > Hi, > > > > Does anyone know how, why, and which part of puppet might decide to > > regenerate /etc/puppet/ssl/ca/private/ca.pass on a puppet master? > > The only bit of code that could ever generate a password is this: > > unless FileTest.exists?(@config[:cacert]) > @config[:password] = self.genpass > end > > So, theoretically, the only way this could happen is if you removed > the CA certificate.AND the password file. I.e. they would both need to have been deleted for a while...> It sounds like that''s not happening to you, though, so I''m kinda out > of ideas.I can see that it''s in the initialize method, but which program does this code get used in? -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ Please consider the environment before printing this email This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 22, 2008, at 9:53 AM, Marcin Owsiany wrote:> >> It sounds like that''s not happening to you, though, so I''m kinda out >> of ideas. > > I can see that it''s in the initialize method, but which program does > this code get used in?It''s only used in the CA network handler and puppetca, as far as I can tell. -- Man is the only animal that can remain on friendly terms with the victims he intends to eat until he eats them. -- Samuel Butler (1835-1902) --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---