Is there a command to reject a signing request? While obviously I can --sign then immediately --clean, that''s not a terribly good solution, as it leaves a bit of a race condition loophole. Just trying to -- clean an unsigned cert gives an error. I''ve looked for documentation on this, but can''t seem to find anything. If there''s not, how would I make a feature request to either have -- clean check for and remove unsigned certs, or to add another command to to this? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marti wrote:> Is there a command to reject a signing request? While obviously I can > --sign then immediately --clean, that''s not a terribly good solution, > as it leaves a bit of a race condition loophole. Just trying to -- > clean an unsigned cert gives an error. I''ve looked for documentation > on this, but can''t seem to find anything. >What''s the Puppet version and the error? Regards James Turnbull - -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwiU09hTGvAxC30ARAsOSAKCvyIUjxFUqLw6eVuUvZuqkckv55gCfemAY nejkp0K07NJ0JnBn4z1BFuM=GapO -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> Is there a command to reject a signing request? While obviously I can > --sign then immediately --clean, that''s not a terribly good solution, > as it leaves a bit of a race condition loophole. Just trying to -- > clean an unsigned cert gives an error. I''ve looked for documentation > on this, but can''t seem to find anything. > > If there''s not, how would I make a feature request to either have -- > clean check for and remove unsigned certs, or to add another command > to to this?Why exactly do you need to remove unsigned? or are you looking for a away to permanently reject a host? Evan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
puppet[~]$ puppetca --version 0.24.5 puppet[~]$ sudo puppetca --list localhost.dhcp.ece.arizona.edu puppet[~]$ sudo puppetca --clean localhost.dhcp.ece.arizona.edu Could not find client certificate for localhost.dhcp.ece.arizona.edu Occasionally my DHCP clients get confused about their hostname; I''d like to simply reject bad requests like this one. On Sep 5, 11:37 pm, James Turnbull <ja...@lovedthanlost.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marti wrote: > > Is there a command to reject a signing request? While obviously I can > > --sign then immediately --clean, that''s not a terribly good solution, > > as it leaves a bit of a race condition loophole. Just trying to -- > > clean an unsigned cert gives an error. I''ve looked for documentation > > on this, but can''t seem to find anything. > > What''s the Puppet version and the error? > > Regards > > James Turnbull > > - -- > Author of: > * Pulling Strings with Puppet > (http://www.amazon.com/gp/product/1590599780/) > * Pro Nagios 2.0 > (http://www.amazon.com/gp/product/1590596099/) > * Hardening Linux > (http://www.amazon.com/gp/product/1590594444/) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org > > iD8DBQFIwiU09hTGvAxC30ARAsOSAKCvyIUjxFUqLw6eVuUvZuqkckv55gCfemAY > nejkp0K07NJ0JnBn4z1BFuM> =GapO > -----END PGP SIGNATURE-------~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Not so concerned about permanently rejecting a host, though if there''s a way to do so, I''d be interested in knowing it. But my main goal is to be able to keep my CA request queue empty. For now I''ve been -- signing and immediately --cleaning, but I figured there ought to be a cleaner way to handle this. On Sep 6, 8:21 am, "Evan Hisey" <ehi...@gmail.com> wrote:> > Is there a command to reject a signing request? While obviously I can > > --sign then immediately --clean, that''s not a terribly good solution, > > as it leaves a bit of a race condition loophole. Just trying to -- > > clean an unsigned cert gives an error. I''ve looked for documentation > > on this, but can''t seem to find anything. > > > If there''s not, how would I make a feature request to either have -- > > clean check for and remove unsigned certs, or to add another command > > to to this? > > Why exactly do you need to remove unsigned? or are you looking for a > away to permanently reject a host? > > Evan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hallo! Marti <martinezah@gmail.com>:>a way to do so, I''d be interested in knowing it. But my main goal is >to be able to keep my CA request queue empty. For now I''ve been -- >signing and immediately --cleaning, but I figured there ought to be a >cleaner way to handle this.What you can do is to delete the request manualle from $csrdir, that is /var/lib/puppet/ssl/ca/requests on a standard puppet installation. Regards Christian -- Dipl.-Inf. Christian Kauhaus <>< · kc@gocept.com · systems administration gocept gmbh & co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 11 · fax +49 345 1229889 1 Zope and Plone consulting and development
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marti wrote:> Is there a command to reject a signing request? While obviously I can > --sign then immediately --clean, that''s not a terribly good solution, > as it leaves a bit of a race condition loophole. Just trying to -- > clean an unsigned cert gives an error. I''ve looked for documentation > on this, but can''t seem to find anything. > > If there''s not, how would I make a feature request to either have -- > clean check for and remove unsigned certs, or to add another command > to to this?Marti Feature requests at: http://reductivelabs.com/redmine/ Regards James Turnbull - -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIxMhl9hTGvAxC30ARAgHbAKC7by1CXtEVlPJ5WQvrL0uFtBqJJgCghOfA NyfM8XI9Njrueu2/W3EkQS4=6XSq -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---