I am implementing Puppet on a small RHEL 5.3 cluster (~14 machines). These boxes will be rebuilt via kickstart at least once a month. What would be the best way to handle the certificate signing, preferably one that has the least interaction? I want to be able to kick off the rebuild and walk away knowing that Puppet will startup and take care of the rest of the config. --------------------------------- Derek Tracy tracyde@gmail.com --------------------------------- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
One way would be to enable autosign when you request your kickstart... if you ks is dynamically generated, that could be easily scripted. alternatively, you can have a look at Foreman [1] which handle this kind of things for you. Ohad [1] - http://theforeman.org On Fri, Jan 14, 2011 at 9:04 PM, Derek Tracy <tracyde@gmail.com> wrote:> I am implementing Puppet on a small RHEL 5.3 cluster (~14 machines). These > boxes will be rebuilt via kickstart at least once a month. What would be > the best way to handle the certificate signing, preferably one that has the > least interaction? I want to be able to kick off the rebuild and walk away > knowing that Puppet will startup and take care of the rest of the config. > > > > --------------------------------- > Derek Tracy > tracyde@gmail.com > --------------------------------- > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
one thing to keep in mind is if the server is the same name previously there will be an issue where you will need to use the puppetca on the master to clean out the old cert. On Jan 14, 3:36 pm, Ohad Levy <ohadl...@gmail.com> wrote:> One way would be to enable autosign when you request your kickstart... if > you ks is dynamically generated, that could be easily scripted. > > alternatively, you can have a look at Foreman [1] which handle this kind of > things for you. > > Ohad > > [1] -http://theforeman.org > > > > On Fri, Jan 14, 2011 at 9:04 PM, Derek Tracy <trac...@gmail.com> wrote: > > I am implementing Puppet on a small RHEL 5.3 cluster (~14 machines). These > > boxes will be rebuilt via kickstart at least once a month. What would be > > the best way to handle the certificate signing, preferably one that has the > > least interaction? I want to be able to kick off the rebuild and walk away > > knowing that Puppet will startup and take care of the rest of the config. > > > --------------------------------- > > Derek Tracy > > trac...@gmail.com > > --------------------------------- > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en.- Hide quoted text - > > - Show quoted text --- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Derek Tracy
2011-Jan-18 14:08 UTC
Re: [Puppet Users] Re: Autosign Certificate upon rebuild
I think that is the workflow I am going to use, before I kick off the rebuild run puppetca --clean <fqdn> and keep the <fqdn> in the autosign.conf so when it rebuilds and kicks off the puppet service the ca just autosigns the cert. It would be nice to be able to set a special key/password that the puppet daemon could send that would tell the ca to revoke previous keys and autosign a new key for that host. On Mon, Jan 17, 2011 at 12:29 PM, Matt <mjblack@gmail.com> wrote:> one thing to keep in mind is if the server is the same name previously > there will be an issue where you will need to use the puppetca on the > master to clean out the old cert. > > On Jan 14, 3:36 pm, Ohad Levy <ohadl...@gmail.com> wrote: > > One way would be to enable autosign when you request your kickstart... if > > you ks is dynamically generated, that could be easily scripted. > > > > alternatively, you can have a look at Foreman [1] which handle this kind > of > > things for you. > > > > Ohad > > > > [1] -http://theforeman.org > > > > > > > > On Fri, Jan 14, 2011 at 9:04 PM, Derek Tracy <trac...@gmail.com> wrote: > > > I am implementing Puppet on a small RHEL 5.3 cluster (~14 machines). > These > > > boxes will be rebuilt via kickstart at least once a month. What would > be > > > the best way to handle the certificate signing, preferably one that has > the > > > least interaction? I want to be able to kick off the rebuild and walk > away > > > knowing that Puppet will startup and take care of the rest of the > config. > > > > > --------------------------------- > > > Derek Tracy > > > trac...@gmail.com > > > --------------------------------- > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@googlegroups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en.- Hide quoted text - > > > > - Show quoted text - > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jan 18, 2011, at 6:08 AM, Derek Tracy wrote:> I think that is the workflow I am going to use, before I kick off the rebuild run > > puppetca --clean <fqdn> > > and keep the <fqdn> in the autosign.conf so when it rebuilds and kicks off the puppet service the ca just autosigns the cert. It would be nice to be able to set a special key/password that the puppet daemon could send that would tell the ca to revoke previous keys and autosign a new key for that host.We create the puppet certs and keys on the server using generate, and copy them out in a similar way. Here''s a script that, when run as root on the client, will copy keys and certs created using generate to the client. Please read all comments before running this script. #Get the hostname that will be on the cert export dest_name=`facter fqdn | tr [:upper:] [:lower:]` #If run on the server, aport because this was an accident. #Note that "imba" is part of the server''s fqdn echo $dest_name | grep imba && exit -1 #Don''t let puppet mess with what we''re doing service puppet stop mkdir /root/.ssh #Sample lines to remove the ssh key warnings. Replace with your own keys #These were truncated, expect yours to be much longer echo "|1|IFcJPOzu" >> /root/.ssh/known_hosts echo "|1|R+6Dna" >> /root/.ssh/known_hosts #Replace the hardcoded server name with your own. scp "simba.outer:/var/lib/puppet/ssl/ca/signed/"$dest_name".pem" "/var/lib/puppet/ssl/certs/" scp "simba.outer:/var/lib/puppet/ssl/certs/ca.pem" "/var/lib/puppet/ssl/certs/" scp "simba.outer:/var/lib/puppet/ssl/private_keys/"$dest_name".pem" "/var/lib/puppet/ssl/private_keys/" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.