Hi
El día 21 de junio de 2010 11:53, Pablo Iranzo Gómez
<pablo.iranzo@gmail.com> escribió:> Hi
>
> I''ve installed puppet and made autosigning work like a charm (EPEL
> version 0.25-5 for EL4 and EL5)
>
> What I would like to do know is to setup the environment in order to
> achieve:
>
> As server can be reinstalled and a new CA created, clients should
> either expire, or accept any cert while using autosigning.
>
>
> I''ve tested so far:
>
> - puppetmaster machine can be reinstalled so a new CA will be created
> by default
> - If the server ca is recreated, clients stop connecting because of
> certificate verification failure
> - clients should be able to connect to that server, so I''ve tried
> making CA and host cets expire faster with no luck
> - I need to setup ca_ttl > 3 days because if not, created pem will
> have "not valid after" before current date/time
> - After creating CA with expiration +25 years, and host with 3 days,
> if I change host date, can''t get a new certificate from server.
>
> As workarrounds I''ve considered packaging ca certificates with my
> config distribution, so all servers, even when reinstalled will share
> same CA, but I find more clean to just regenerate certificates on
> daily basis automatically.
>
> ¿How should I setup this?
Does this will get covered when fix for #3360 gets out?
Thanks
Pablo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.