Puppet users - Jul 2010 - IP based node sections instead of hostname based?

Hi experts,

Is there a way to specify in the nodes.pp sections with the ip address of
the client?
Currently I only saw instructions to use wildcarded hostnames.

Thanks a lot

-Yushu

+-------------------------------------------------+
| Yushu Yao
| Ph:1-510-486-4690
|
| Lawrence Berkeley National Lab
| Mailstop 50B-6222
| 1 Cyclotron Road
| Berkeley CA 94720-8147 - USA
+-------------------------------------------------+

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <yao.yushu@gmail.com>
wrote:
> Hi experts,
>
> Is there a way to specify in the nodes.pp sections with the ip address of
> the client?
> Currently I only saw instructions to use wildcarded hostnames.
>
> Thanks a lot
You can configure [1] the master to use facter rather than the
certificate common name for the node name.  Note, however, this poses
a risk since the fact list is presented by the agent and may be
forged.  If you configure the master to use facter then you would have
to force the "hostname" to actually be the ipaddress by modifying the
hostname fact itself.

I in no way recommend this configuration and actively discourage it.
It should do what you want though.

node_name
How the puppetmaster determines the client’s identity and sets the
‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in
particular for determining which ‘node’ statement applies to the
client. Possible values are ‘cert’ (use the subject’s CN in the
client’s certificate) and ‘facter’ (use the hostname that the client
reported in its facts)
Default: cert

[1] http://docs.puppetlabs.com/references/latest/configuration.html#node_name

Hope this helps,
-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks Jeff,

Assuming we will worry about security later.

Is it possible to use arbitrary name in both client cert''s CN and in
nodes.pp?

E.g. in node.pp we have:

node "MyMachine1" { xxx }

In client''s cert the CN="MyMachine1"

Where MyMachine1 is neither the IP address nor the fqdn.

Then when the client connects the master will look into its CN, and return
the catalog of "MyMachine1".

Thanks

-Yushu






On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune <jeff@puppetlabs.com> wrote:
> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <yao.yushu@gmail.com>
wrote:
> > Hi experts,
> >
> > Is there a way to specify in the nodes.pp sections with the ip address
of
> > the client?
> > Currently I only saw instructions to use wildcarded hostnames.
> >
> > Thanks a lot
>
> You can configure [1] the master to use facter rather than the
> certificate common name for the node name.  Note, however, this poses
> a risk since the fact list is presented by the agent and may be
> forged.  If you configure the master to use facter then you would have
> to force the "hostname" to actually be the ipaddress by modifying
the
> hostname fact itself.
>
> I in no way recommend this configuration and actively discourage it.
> It should do what you want though.
>
> node_name
> How the puppetmaster determines the client’s identity and sets the
> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in
> particular for determining which ‘node’ statement applies to the
> client. Possible values are ‘cert’ (use the subject’s CN in the
> client’s certificate) and ‘facter’ (use the hostname that the client
> reported in its facts)
> Default: cert
>
> [1]
> http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>
> Hope this helps,
> --
> Jeff McCune
> http://www.puppetlabs.com/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Just to add:

The reason I wanted to do this:
1. I want to create the certificates before the VMs are created. The VMs
will need to run puppet client
2. However, before a VM is created, I don''t know the IP nor the FQDN of
the
VM. That''s why I''m thinking of using an arbitrary name.
3. I want to use the same set of certs to authenticate the communication
between the VMs and another APACHE server.

Any comments on how to do this is greatly appreciated.

-Yushu

On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <yyao@lbl.gov> wrote:
> Thanks Jeff,
>
> Assuming we will worry about security later.
>
> Is it possible to use arbitrary name in both client cert''s CN and
in
> nodes.pp?
>
> E.g. in node.pp we have:
>
> node "MyMachine1" { xxx }
>
> In client''s cert the CN="MyMachine1"
>
> Where MyMachine1 is neither the IP address nor the fqdn.
>
> Then when the client connects the master will look into its CN, and return
> the catalog of "MyMachine1".
>
> Thanks
>
> -Yushu
>
>
>
>
>
>
>
> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune <jeff@puppetlabs.com>
wrote:
>
>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao <yao.yushu@gmail.com>
wrote:
>> > Hi experts,
>> >
>> > Is there a way to specify in the nodes.pp sections with the ip
address
>> of
>> > the client?
>> > Currently I only saw instructions to use wildcarded hostnames.
>> >
>> > Thanks a lot
>>
>> You can configure [1] the master to use facter rather than the
>> certificate common name for the node name.  Note, however, this poses
>> a risk since the fact list is presented by the agent and may be
>> forged.  If you configure the master to use facter then you would have
>> to force the "hostname" to actually be the ipaddress by
modifying the
>> hostname fact itself.
>>
>> I in no way recommend this configuration and actively discourage it.
>> It should do what you want though.
>>
>> node_name
>> How the puppetmaster determines the client’s identity and sets the
>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in
>> particular for determining which ‘node’ statement applies to the
>> client. Possible values are ‘cert’ (use the subject’s CN in the
>> client’s certificate) and ‘facter’ (use the hostname that the client
>> reported in its facts)
>> Default: cert
>>
>> [1]
>>
http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>>
>> Hope this helps,
>> --
>> Jeff McCune
>> http://www.puppetlabs.com/
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wednesday, August 11, 2010, Yushu Yao <yyao@lbl.gov>
wrote:
> Thanks Jeff,
>
> Assuming we will worry about security later.
>
> Is it possible to use arbitrary name in both client cert''s CN and
in nodes.pp?
Yes, this will work.

-Jeff

-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

You may look into how mcollective or foreman[1] handles the certificate
signing processes.

[1] http://theforeman.org

Ohad

On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <yyao@lbl.gov> wrote:
> Just to add:
>
> The reason I wanted to do this:
> 1. I want to create the certificates before the VMs are created. The VMs
> will need to run puppet client
> 2. However, before a VM is created, I don''t know the IP nor the
FQDN of the
> VM. That''s why I''m thinking of using an arbitrary name.
> 3. I want to use the same set of certs to authenticate the communication
> between the VMs and another APACHE server.
>
> Any comments on how to do this is greatly appreciated.
>
> -Yushu
>
>
> On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <yyao@lbl.gov> wrote:
>
>> Thanks Jeff,
>>
>> Assuming we will worry about security later.
>>
>> Is it possible to use arbitrary name in both client cert''s CN
and in
>> nodes.pp?
>>
>> E.g. in node.pp we have:
>>
>> node "MyMachine1" { xxx }
>>
>> In client''s cert the CN="MyMachine1"
>>
>> Where MyMachine1 is neither the IP address nor the fqdn.
>>
>> Then when the client connects the master will look into its CN, and
return
>> the catalog of "MyMachine1".
>>
>> Thanks
>>
>> -Yushu
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune
<jeff@puppetlabs.com> wrote:
>>
>>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao
<yao.yushu@gmail.com> wrote:
>>> > Hi experts,
>>> >
>>> > Is there a way to specify in the nodes.pp sections with the ip
address
>>> of
>>> > the client?
>>> > Currently I only saw instructions to use wildcarded hostnames.
>>> >
>>> > Thanks a lot
>>>
>>> You can configure [1] the master to use facter rather than the
>>> certificate common name for the node name.  Note, however, this
poses
>>> a risk since the fact list is presented by the agent and may be
>>> forged.  If you configure the master to use facter then you would
have
>>> to force the "hostname" to actually be the ipaddress by
modifying the
>>> hostname fact itself.
>>>
>>> I in no way recommend this configuration and actively discourage
it.
>>> It should do what you want though.
>>>
>>> node_name
>>> How the puppetmaster determines the client’s identity and sets the
>>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest, in
>>> particular for determining which ‘node’ statement applies to the
>>> client. Possible values are ‘cert’ (use the subject’s CN in the
>>> client’s certificate) and ‘facter’ (use the hostname that the
client
>>> reported in its facts)
>>> Default: cert
>>>
>>> [1]
>>>
http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>>>
>>> Hope this helps,
>>> --
>>> Jeff McCune
>>> http://www.puppetlabs.com/
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>>
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Yushu,

This should work...

1. Create the cert with an arbitrary name (puppetca --generate
foo.somethingrandom.bar)
2. You will need some process to sign the cert and copy the private keys to
the client vm because they don''t exist at cert creation time.  Copying
private keys about is generally frowned upon from a security perspective,
but if you want to pregenerate the certs you don''t have much choice.
3. In puppet.conf on the client, set the certname option to
foo.somethingrandom.bar in the [puppetd] section.

Cheers,
Teyo

On Wed, Aug 11, 2010 at 12:19 PM, Ohad Levy <ohadlevy@gmail.com> wrote:
> Hi,
>
> You may look into how mcollective or foreman[1] handles the certificate
> signing processes.
>
> [1] http://theforeman.org
>
> Ohad
>
>
> On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <yyao@lbl.gov> wrote:
>
>> Just to add:
>>
>> The reason I wanted to do this:
>> 1. I want to create the certificates before the VMs are created. The
VMs
>> will need to run puppet client
>> 2. However, before a VM is created, I don''t know the IP nor
the FQDN of
>> the VM. That''s why I''m thinking of using an arbitrary
name.
>> 3. I want to use the same set of certs to authenticate the
communication
>> between the VMs and another APACHE server.
>>
>> Any comments on how to do this is greatly appreciated.
>>
>> -Yushu
>>
>>
>> On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <yyao@lbl.gov> wrote:
>>
>>> Thanks Jeff,
>>>
>>> Assuming we will worry about security later.
>>>
>>> Is it possible to use arbitrary name in both client cert''s
CN and in
>>> nodes.pp?
>>>
>>> E.g. in node.pp we have:
>>>
>>> node "MyMachine1" { xxx }
>>>
>>> In client''s cert the CN="MyMachine1"
>>>
>>> Where MyMachine1 is neither the IP address nor the fqdn.
>>>
>>> Then when the client connects the master will look into its CN, and
>>> return the catalog of "MyMachine1".
>>>
>>> Thanks
>>>
>>> -Yushu
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune
<jeff@puppetlabs.com>wrote:
>>>
>>>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao
<yao.yushu@gmail.com>
>>>> wrote:
>>>> > Hi experts,
>>>> >
>>>> > Is there a way to specify in the nodes.pp sections with
the ip address
>>>> of
>>>> > the client?
>>>> > Currently I only saw instructions to use wildcarded
hostnames.
>>>> >
>>>> > Thanks a lot
>>>>
>>>> You can configure [1] the master to use facter rather than the
>>>> certificate common name for the node name.  Note, however, this
poses
>>>> a risk since the fact list is presented by the agent and may be
>>>> forged.  If you configure the master to use facter then you
would have
>>>> to force the "hostname" to actually be the ipaddress
by modifying the
>>>> hostname fact itself.
>>>>
>>>> I in no way recommend this configuration and actively
discourage it.
>>>> It should do what you want though.
>>>>
>>>> node_name
>>>> How the puppetmaster determines the client’s identity and sets
the
>>>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the manifest,
in
>>>> particular for determining which ‘node’ statement applies to
the
>>>> client. Possible values are ‘cert’ (use the subject’s CN in the
>>>> client’s certificate) and ‘facter’ (use the hostname that the
client
>>>> reported in its facts)
>>>> Default: cert
>>>>
>>>> [1]
>>>>
http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>>>>
>>>> Hope this helps,
>>>> --
>>>> Jeff McCune
>>>> http://www.puppetlabs.com/
>>>>
>>>> --
>>>> You received this message because you are subscribed to the
Google
>>>> Groups "Puppet Users" group.
>>>> To post to this group, send email to
puppet-users@googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>>>> .
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>
>>>>
>>>
>>  --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Teyo Tyree ::  www.puppetlabs.com:: +1.503.208.4475

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks a lot for all of you.

Another question: I saw the CN=ca for the certificate authority.
(e.g. puppetca --list --print --all shows:
...
       Issuer: CN=ca
...
        Subject: CN=asdf
...

)

Is there a way to change the "ca" to some other name? E.g. foo ?


The reason for this is when I use the certificates generated by this ca in
the apache server, firefox will block it if I regenerate the certs of
puppet. (I.e. a cert provided by the CA with CN=ca is already there, the new
one has a different key, so return failure).

Thanks.

-Yushu
''



On Wed, Aug 11, 2010 at 1:16 PM, Teyo Tyree <teyo@puppetlabs.com> wrote:
> Yushu,
>
> This should work...
>
> 1. Create the cert with an arbitrary name (puppetca --generate
> foo.somethingrandom.bar)
> 2. You will need some process to sign the cert and copy the private keys to
> the client vm because they don''t exist at cert creation time. 
Copying
> private keys about is generally frowned upon from a security perspective,
> but if you want to pregenerate the certs you don''t have much
choice.
> 3. In puppet.conf on the client, set the certname option to
> foo.somethingrandom.bar in the [puppetd] section.
>
> Cheers,
> Teyo
>
> On Wed, Aug 11, 2010 at 12:19 PM, Ohad Levy <ohadlevy@gmail.com>
wrote:
>
>> Hi,
>>
>> You may look into how mcollective or foreman[1] handles the certificate
>> signing processes.
>>
>> [1] http://theforeman.org
>>
>> Ohad
>>
>>
>> On Wed, Aug 11, 2010 at 9:07 PM, Yushu Yao <yyao@lbl.gov> wrote:
>>
>>> Just to add:
>>>
>>> The reason I wanted to do this:
>>> 1. I want to create the certificates before the VMs are created.
The VMs
>>> will need to run puppet client
>>> 2. However, before a VM is created, I don''t know the IP
nor the FQDN of
>>> the VM. That''s why I''m thinking of using an
arbitrary name.
>>> 3. I want to use the same set of certs to authenticate the
communication
>>> between the VMs and another APACHE server.
>>>
>>> Any comments on how to do this is greatly appreciated.
>>>
>>> -Yushu
>>>
>>>
>>> On Wed, Aug 11, 2010 at 11:02 AM, Yushu Yao <yyao@lbl.gov>
wrote:
>>>
>>>> Thanks Jeff,
>>>>
>>>> Assuming we will worry about security later.
>>>>
>>>> Is it possible to use arbitrary name in both client
cert''s CN and in
>>>> nodes.pp?
>>>>
>>>> E.g. in node.pp we have:
>>>>
>>>> node "MyMachine1" { xxx }
>>>>
>>>> In client''s cert the CN="MyMachine1"
>>>>
>>>> Where MyMachine1 is neither the IP address nor the fqdn.
>>>>
>>>> Then when the client connects the master will look into its CN,
and
>>>> return the catalog of "MyMachine1".
>>>>
>>>> Thanks
>>>>
>>>> -Yushu
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jul 30, 2010 at 5:55 PM, Jeff McCune
<jeff@puppetlabs.com>wrote:
>>>>
>>>>> On Fri, Jul 30, 2010 at 10:35 AM, Yushu Yao
<yao.yushu@gmail.com>
>>>>> wrote:
>>>>> > Hi experts,
>>>>> >
>>>>> > Is there a way to specify in the nodes.pp sections
with the ip
>>>>> address of
>>>>> > the client?
>>>>> > Currently I only saw instructions to use wildcarded
hostnames.
>>>>> >
>>>>> > Thanks a lot
>>>>>
>>>>> You can configure [1] the master to use facter rather than
the
>>>>> certificate common name for the node name.  Note, however,
this poses
>>>>> a risk since the fact list is presented by the agent and
may be
>>>>> forged.  If you configure the master to use facter then you
would have
>>>>> to force the "hostname" to actually be the
ipaddress by modifying the
>>>>> hostname fact itself.
>>>>>
>>>>> I in no way recommend this configuration and actively
discourage it.
>>>>> It should do what you want though.
>>>>>
>>>>> node_name
>>>>> How the puppetmaster determines the client’s identity and
sets the
>>>>> ‘hostname’, ‘fqdn’ and ‘domain’ facts for use in the
manifest, in
>>>>> particular for determining which ‘node’ statement applies
to the
>>>>> client. Possible values are ‘cert’ (use the subject’s CN in
the
>>>>> client’s certificate) and ‘facter’ (use the hostname that
the client
>>>>> reported in its facts)
>>>>> Default: cert
>>>>>
>>>>> [1]
>>>>>
http://docs.puppetlabs.com/references/latest/configuration.html#node_name
>>>>>
>>>>> Hope this helps,
>>>>> --
>>>>> Jeff McCune
>>>>> http://www.puppetlabs.com/
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the
Google
>>>>> Groups "Puppet Users" group.
>>>>> To post to this group, send email to
puppet-users@googlegroups.com.
>>>>> To unsubscribe from this group, send email to
>>>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>>>>> .
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>>
>>>>>
>>>>
>>>  --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>>  --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> --
> Teyo Tyree ::  www.puppetlabs.com:: +1.503.208.4475
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wednesday, August 11, 2010, Yushu Yao
> Is there a way to change the "ca" to some other name? E.g. foo ?
Yes, there is an option to change the cn field of the ca when puppet
auto generates one. I''m not sure what it is off the top of my head but
please check the configuration reference.  I''m guessing it''s
--ca_name

Note, you''ll need to regenerate your certificates if you change the ca
cert.

-Jeff

-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.