Puppet users - Mar 2011 - Force resigning of existing certificates

Is there a way to force the puppetmaster to resign certificates for 
existing certificates when a new CSR for the same hostname arrives?

When we reinstall freshly formatted clients with puppet (with the 
same hostname) the puppet client complains:

   err: Could not request certificate: Retrieved certificate does not match
   private key; please remove certificate from server and regenerate it with
   the current key

As workaround we need to delete the $ssldir on the client, delete the 
certificate on the server "puppetca --clean client-hostname.fqdn" and 
restart puppet

Used versions:
puppetmaster                      0.25.4-2~bpo50+1
puppet                            2.6.2-4

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 03/08/2011 12:00 PM, Patrick Cervicek wrote:
> Is there a way to force the puppetmaster to resign certificates for
> existing certificates when a new CSR for the same hostname arrives?
> 
> When we reinstall freshly formatted clients with puppet (with the same
> hostname) the puppet client complains:
> 
>   err: Could not request certificate: Retrieved certificate does not match
>   private key; please remove certificate from server and regenerate it with
>   the current key
> 
> As workaround we need to delete the $ssldir on the client, delete the
> certificate on the server "puppetca --clean client-hostname.fqdn"
and
> restart puppet
> 
> Used versions:
> puppetmaster                      0.25.4-2~bpo50+1
> puppet                            2.6.2-4
It''s not a good Idea to have an old master and newer clients, far as I
know.

Automating the revocation of an old certificate is a Bad Idea. Anyone
could blast all your certificates if they have connectivity to you master.

You may want to try and outfit your newly formatted clients with the
original certs and keys. Would that be possibly in your scenario?

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Alternately, running the puppetca clean before starting the new client will
result in the standard unsigned behavior.

(I do think its pretty broken that trying once with the wrong cert poisons
the client - if it is an attack, they can just wipe the client cert again,
and if it isn''t - eg in your case - then it breaks..)

On Tue, Mar 8, 2011 at 8:05 AM, Felix Frank
<felix.frank@alumni.tu-berlin.de
> wrote:
> On 03/08/2011 12:00 PM, Patrick Cervicek wrote:
> > Is there a way to force the puppetmaster to resign certificates for
> > existing certificates when a new CSR for the same hostname arrives?
> >
> > When we reinstall freshly formatted clients with puppet (with the same
> > hostname) the puppet client complains:
> >
> >   err: Could not request certificate: Retrieved certificate does not
> match
> >   private key; please remove certificate from server and regenerate it
> with
> >   the current key
> >
> > As workaround we need to delete the $ssldir on the client, delete the
> > certificate on the server "puppetca --clean
client-hostname.fqdn" and
> > restart puppet
> >
> > Used versions:
> > puppetmaster                      0.25.4-2~bpo50+1
> > puppet                            2.6.2-4
>
> It''s not a good Idea to have an old master and newer clients, far
as I
> know.
>
> Automating the revocation of an old certificate is a Bad Idea. Anyone
> could blast all your certificates if they have connectivity to you master.
>
> You may want to try and outfit your newly formatted clients with the
> original certs and keys. Would that be possibly in your scenario?
>
> HTH,
> Felix
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com>
wrote:
> Alternately, running the puppetca clean before starting the new client will
> result in the standard unsigned behavior.
Maybe, but it would be nice to save this extra afford.  In our case,
we do not want the security features of puppet.
> (I do think its pretty broken that trying once with the wrong cert poisons
> the client - if it is an attack, they can just wipe the client cert again,
> and if it isn''t - eg in your case - then it breaks..)
We know, but we are using build servers in a trusted network.. The
buildservers are often reinstalled and we do not want to manage the
certificates.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I also am looking to do something like this.  So besides it being a
bad idea, is there a way to do it?

If not, I was wondering if there is a way to check the last time when
a client signed in to a puppet master.  I know with puppet-dashboard
you can view this type of information, is it easy to also check if a
system checked within the past hour from cmd line on the system that
is hosting the puppet-dashboard thus the system with all the reports?
This way if UNIX SAs are to be forced to revoke a cert before
building, I can perhaps create a script and at least check when the
last time a system checked in and issue warnings if it recently
checked in.  See, while you have valid arguments on why its bad to
just sign over a cert, I think it could also be bad to have regular
admins revoke certs before a new build ... ooops, we just revoked the
wrong hostname and didn''t notice ... now a system can''t
checkin
anymore until someone notices and then fixes it.

Thanks,
Jake

On Mar 11, 3:38 am, Patrick <patr...@googlealtert.spamtrap.fht-
esslingen.de> wrote:
> On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com> wrote:
>
> > Alternately, running thepuppetcacleanbefore starting the new client
will
> > result in the standard unsigned behavior.
>
> Maybe, but it would be nice to save this extra afford.  In our case,
> we do not want the security features of puppet.
>
> > (I do think its pretty broken that trying once with the wrong cert
poisons
> > the client - if it is an attack, they can just wipe the client cert
again,
> > and if it isn''t - eg in your case - then it breaks..)
>
> We know, but we are using build servers in a trusted network.. The
> buildservers are often reinstalled and we do not want to manage the
> certificates.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

We''ve been tracking Bug 3360:

https://projects.puppetlabs.com/issues/3360

which controls what the puppetmaster does when it receives a new CSR for a host
that already exists. Like you and and OP, we have little to no use for the
security aspects of Puppet''s CA design, and build in a completely
trusted environment. I *think* when 3360 goes live, most of our CA issues will
be resolved.

It may not be a perfect match the "re-signing" thing the OP is
describing here, or your particular situation, but it''s worth paying
attention to.

D

On Apr 13, 2011, at 2:39 PM, Jake - USPS wrote:
> I also am looking to do something like this.  So besides it being a
> bad idea, is there a way to do it?
> 
> Thanks,
> Jake
> 
> On Mar 11, 3:38 am, Patrick <patr...@googlealtert.spamtrap.fht-
> esslingen.de> wrote:
>> On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com> wrote:
>> 
>>> Alternately, running thepuppetcacleanbefore starting the new client
will
>>> result in the standard unsigned behavior.
>> 
>> Maybe, but it would be nice to save this extra afford.  In our case,
>> we do not want the security features of puppet.
>> 
>>> (I do think its pretty broken that trying once with the wrong cert
poisons
>>> the client - if it is an attack, they can just wipe the client cert
again,
>>> and if it isn''t - eg in your case - then it breaks..)
>> 
>> We know, but we are using build servers in a trusted network.. The
>> buildservers are often reinstalled and we do not want to manage the
>> certificates.
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Mar 11, 2011 at 10:38 AM, Patrick <
patrick@googlealtert.spamtrap.fht-esslingen.de> wrote:
>
>
> On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com> wrote:
> > Alternately, running the puppetca clean before starting the new client
> will
> > result in the standard unsigned behavior.
>
> Maybe, but it would be nice to save this extra afford.  In our case,
> we do not want the security features of puppet.
>
> > (I do think its pretty broken that trying once with the wrong cert
> poisons
> > the client - if it is an attack, they can just wipe the client cert
> again,
> > and if it isn''t - eg in your case - then it breaks..)
>
> We know, but we are using build servers in a trusted network.. The
> buildservers are often reinstalled and we do not want to manage the
> certificates.
>
>
You can use a tool like foreman which automates this whole process.

Ohad

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Here is one idea I''ve had and tested ... but it has some obvious
drawbacks which I''ll detail ... still wondering if there are others.

On the ca_server I did: puppetca --generate client

I then copied the following generated files:

ssl/private_keys/client.pem (certA)
ssl/ca/signed/client.pem (certB)

and packaged them into my puppet client RPM to be deployed on puppet
agents at the following paths:

ssl/private_keys/client.pem (certA)
ssl/certs/client.pem (certB)

Then on the puppet agent I editted puppet.conf with:

[agent]
certname = client
node_name = facter

certname tells the system what ''hostname'' to use for the cert.
By
default node_name uses the certname to describe the node, so I changed
that to facter.

This seems to be working as far as being able to communicate with the
puppet server and pull configs.  The only problem I''m having is with
puppet-dashboard, that groups reports based on certname it seems
instead of hostname/fqdn ... so the couple of hosts I have with the
same cert do not have separate nodes in the puppet-dashboard.  :(  I
was hoping the node_name entry would take care of that, but it didn''t.

Any thoughts on this approach, maybe even how to get dashboard to work
with this method?  Or is this a horrible idea?

Also, what is foreman and how could it help.  Not familiar with that
product.

Thanks,
Jake

On Apr 13, 3:46 pm, Ohad Levy <ohadl...@gmail.com>
wrote:
> On Fri, Mar 11, 2011 at 10:38 AM, Patrick <
>
>
>
>
>
>
>
>
>
> patr...@googlealtert.spamtrap.fht-esslingen.de> wrote:
>
> > On 8 Mrz., 14:54, Disconnect <dc.disconn...@gmail.com> wrote:
> > > Alternately, running the puppetca clean before starting the new
client
> > will
> > > result in the standard unsigned behavior.
>
> > Maybe, but it would be nice to save this extra afford.  In our case,
> > we do not want the security features of puppet.
>
> > > (I do think its pretty broken that trying once with the wrong
cert
> > poisons
> > > the client - if it is an attack, they can just wipe the client
cert
> > again,
> > > and if it isn''t - eg in your case - then it breaks..)
>
> > We know, but we are using build servers in a trusted network.. The
> > buildservers are often reinstalled and we do not want to manage the
> > certificates.
>
> You can use a tool like foreman which automates this whole process.
>
> Ohad
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Apr 14, 2011 at 4:31 PM, Jake - USPS
<jacob.m.mccann@usps.gov>wrote:
> Also, what is foreman and how could it help.  Not familiar with that
> product.
>
>
Foreman takes care for the entire process, things like provisioning, class
assignments and reportings are all done though it (and many many other
features).

see  http://theforeman.org for more details.

Ohad

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the reply.  I''m just starting to understand puppet, so I
would like not to mess with that ... yet.  It does look very
interesting though, so thanks for bringing that up.

Derek,

Thanks for the bug.  That looks like it includes some things that I
would like ... like the allow duplicate cert and whatnot.  It looks
like its status closed as of 14 hours ago.  Does that mean it is in
some release of puppet now, or just that code it ready to eventually
be implemented?  I''d like to start trying it out right away as my
''solution'' doesn''t seem to work well with dashboard.

Thanks,
Jake

On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com>
wrote:
> On Thu, Apr 14, 2011 at 4:31 PM, Jake - USPS
<jacob.m.mcc...@usps.gov>wrote:
>
> > Also, what is foreman and how could it help.  Not familiar with that
> > product.
>
> Foreman takes care for the entire process, things like provisioning, class
> assignments and reportings are all done though it (and many many other
> features).
>
> see  http://theforeman.orgfor more details.
>
> Ohad
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Nevermind, looks like its in 2.7.0rc1

http://groups.google.com/group/puppet-users/browse_thread/thread/b3b50d3c4e449a60
cb01221 (#3360) Add an allow_duplicate_certs option


On Apr 14, 8:45 am, Jake - USPS <jacob.m.mcc...@usps.gov>
wrote:
> Thanks for the reply.  I''m just starting to understand puppet, so
I
> would like not to mess with that ... yet.  It does look very
> interesting though, so thanks for bringing that up.
>
> Derek,
>
> Thanks for the bug.  That looks like it includes some things that I
> would like ... like the allow duplicate cert and whatnot.  It looks
> like its status closed as of 14 hours ago.  Does that mean it is in
> some release of puppet now, or just that code it ready to eventually
> be implemented?  I''d like to start trying it out right away as my
> ''solution'' doesn''t seem to work well with
dashboard.
>
> Thanks,
> Jake
>
> On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote:
>
>
>
>
>
>
>
> > On Thu, Apr 14, 2011 at 4:31 PM, Jake - USPS
<jacob.m.mcc...@usps.gov>wrote:
>
> > > Also, what is foreman and how could it help.  Not familiar with
that
> > > product.
>
> > Foreman takes care for the entire process, things like provisioning,
class
> > assignments and reportings are all done though it (and many many other
> > features).
>
> > see  http://theforeman.orgformore details.
>
> > Ohad
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

OK, just had to post this!  I found a solution to my issues that may
help others.

http://glarizza.posterous.com/managing-puppet-ssl-certificates

Basically a CGI script located on you CA Server.  You can pass the
hostname/certname that you want to clean via http to the script and
have it clean it off the CA Server.  More details in the link above.
This is working great for me and I''ll be using it until similar
functionality is included by default in puppet.

Regards,
Jake

On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov>
wrote:
> Nevermind, looks like its in 2.7.0rc1
>
> http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> cb01221 (#3360) Add an allow_duplicate_certs option
>
> On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
>
>
>
>
>
>
>
> > Thanks for the reply.  I''m just starting to understand
puppet, so I
> > would like not to mess with that ... yet.  It does look very
> > interesting though, so thanks for bringing that up.
>
> > Derek,
>
> > Thanks for the bug.  That looks like it includes some things that I
> > would like ... like the allow duplicate cert and whatnot.  It looks
> > like its status closed as of 14 hours ago.  Does that mean it is in
> > some release of puppet now, or just that code it ready to eventually
> > be implemented?  I''d like to start trying it out right away
as my
> > ''solution'' doesn''t seem to work well with
dashboard.
>
> > Thanks,
> >Jake
>
> > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote:
>
> > > On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
>
> > > > Also, what is foreman and how could it help.  Not familiar
with that
> > > > product.
>
> > > Foreman takes care for the entire process, things like
provisioning, class
> > > assignments and reportings are all done though it (and many many
other
> > > features).
>
> > > see  http://theforeman.orgformoredetails.
>
> > > Ohad
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mccann@usps.gov>wrote:
> OK, just had to post this!  I found a solution to my issues that may
> help others.
>
> http://glarizza.posterous.com/managing-puppet-ssl-certificates

fyi - as the original author of that script... the same functionality exists
within foreman.

Ohad
>
>
> Basically a CGI script located on you CA Server.  You can pass the
> hostname/certname that you want to clean via http to the script and
> have it clean it off the CA Server.  More details in the link above.
> This is working great for me and I''ll be using it until similar
> functionality is included by default in puppet.
>
> Regards,
> Jake
>
> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
> > Nevermind, looks like its in 2.7.0rc1
> >
> >
http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > cb01221 (#3360) Add an allow_duplicate_certs option
> >
> > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
> >
> >
> >
> >
> >
> >
> >
> > > Thanks for the reply.  I''m just starting to understand
puppet, so I
> > > would like not to mess with that ... yet.  It does look very
> > > interesting though, so thanks for bringing that up.
> >
> > > Derek,
> >
> > > Thanks for the bug.  That looks like it includes some things that
I
> > > would like ... like the allow duplicate cert and whatnot.  It
looks
> > > like its status closed as of 14 hours ago.  Does that mean it is
in
> > > some release of puppet now, or just that code it ready to
eventually
> > > be implemented?  I''d like to start trying it out right
away as my
> > > ''solution'' doesn''t seem to work well
with dashboard.
> >
> > > Thanks,
> > >Jake
> >
> > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote:
> >
> > > > On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov
> >wrote:
> >
> > > > > Also, what is foreman and how could it help.  Not
familiar with
> that
> > > > > product.
> >
> > > > Foreman takes care for the entire process, things like
provisioning,
> class
> > > > assignments and reportings are all done though it (and many
many
> other
> > > > features).
> >
> > > > see  http://theforeman.orgformoredetails.
> >
> > > > Ohad
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

That''s too funny ... I took a look at the installation instructions
for foreman and it didn''t look too complicated, so I''ll give
it a try
tomorrow.  Is it pretty intuitive to use, or do you want to point me
to documentation to setup doing what I''m doing above in it?

Thanks,
Jake

On Apr 27, 4:54 pm, Ohad Levy <ohadl...@gmail.com>
wrote:
> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mcc...@usps.gov>wrote:
>
> > OK, just had to post this!  I found a solution to my issues that may
> > help others.
>
> >http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> fyi - as the original author of that script... the same functionality
exists
> within foreman.
>
> Ohad
>
>
>
>
>
>
>
>
>
> > Basically a CGI script located on you CA Server.  You can pass the
> > hostname/certname that you want to clean via http to the script and
> > have it clean it off the CA Server.  More details in the link above.
> > This is working great for me and I''ll be using it until
similar
> > functionality is included by default in puppet.
>
> > Regards,
> > Jake
>
> > On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
> > > Nevermind, looks like its in 2.7.0rc1
>
> >
>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > > cb01221 (#3360) Add an allow_duplicate_certs option
>
> > > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov>
wrote:
>
> > > > Thanks for the reply.  I''m just starting to
understand puppet, so I
> > > > would like not to mess with that ... yet.  It does look very
> > > > interesting though, so thanks for bringing that up.
>
> > > > Derek,
>
> > > > Thanks for the bug.  That looks like it includes some things
that I
> > > > would like ... like the allow duplicate cert and whatnot.
 It looks
> > > > like its status closed as of 14 hours ago.  Does that mean
it is in
> > > > some release of puppet now, or just that code it ready to
eventually
> > > > be implemented?  I''d like to start trying it out
right away as my
> > > > ''solution'' doesn''t seem to work
well with dashboard.
>
> > > > Thanks,
> > > >Jake
>
> > > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com>
wrote:
>
> > > > > On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov
> > >wrote:
>
> > > > > > Also, what is foreman and how could it help.  Not
familiar with
> > that
> > > > > > product.
>
> > > > > Foreman takes care for the entire process, things like
provisioning,
> > class
> > > > > assignments and reportings are all done though it (and
many many
> > other
> > > > > features).
>
> > > > > see  http://theforeman.orgformoredetails.
>
> > > > > Ohad
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Unfortunately, this is still a ''missing feature'' of Puppet
IMO. I applaud Foreman for adding it as functionality though in their own code.
For our situation, we ended up writing our own CGI script on the Puppet CA
servers as well as a client-side script that runs periodically on the clients to
verify whether or not their cert is still valid. When their cert gets
close-to-expiring, it checks in with the CGI script and supplies the original
CSR that the host used for its first cert request to puppet. Our CGI script then
has permissions to run some openssl commands, and generates a whole new cert for
the client and passes it back. This all happens over SSL of course, and is only
allowed for clients that still have a valid certificate anyways. Its not pretty,
but its how we solved the problem... and its worked so far. We have ~600 hosts
and they each get a new cert every 25 days.

Ideally there would be this functionality built into puppet... when a client
checked in, the server would check if the cert is within X days of expiring. If
it is, it would generate a new cert and pass it back to the client
automatically. Of course this would be an ''option'', but it
seems like an obvious feature addition.

I looked and could not find an actual bug report requesting this functionality
explicitly, so I opened one:

http://projects.puppetlabs.com/issues/7272


On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
> 
> 
> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mccann@usps.gov> wrote:
> OK, just had to post this!  I found a solution to my issues that may
> help others.
> 
> http://glarizza.posterous.com/managing-puppet-ssl-certificates
> 
> fyi - as the original author of that script... the same functionality
exists within foreman.
> 
> Ohad 
> 
> 
> Basically a CGI script located on you CA Server.  You can pass the
> hostname/certname that you want to clean via http to the script and
> have it clean it off the CA Server.  More details in the link above.
> This is working great for me and I''ll be using it until similar
> functionality is included by default in puppet.
> 
> Regards,
> Jake
> 
> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
> > Nevermind, looks like its in 2.7.0rc1
> >
> >
http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > cb01221 (#3360) Add an allow_duplicate_certs option
> >
> > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
> >
> >
> >
> >
> >
> >
> >
> > > Thanks for the reply.  I''m just starting to understand
puppet, so I
> > > would like not to mess with that ... yet.  It does look very
> > > interesting though, so thanks for bringing that up.
> >
> > > Derek,
> >
> > > Thanks for the bug.  That looks like it includes some things that
I
> > > would like ... like the allow duplicate cert and whatnot.  It
looks
> > > like its status closed as of 14 hours ago.  Does that mean it is
in
> > > some release of puppet now, or just that code it ready to
eventually
> > > be implemented?  I''d like to start trying it out right
away as my
> > > ''solution'' doesn''t seem to work well
with dashboard.
> >
> > > Thanks,
> > >Jake
> >
> > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com> wrote:
> >
> > > > On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
> >
> > > > > Also, what is foreman and how could it help.  Not
familiar with that
> > > > > product.
> >
> > > > Foreman takes care for the entire process, things like
provisioning, class
> > > > assignments and reportings are all done though it (and many
many other
> > > > features).
> >
> > > > see  http://theforeman.orgformoredetails.
> >
> > > > Ohad
> 
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Out of curiosity, if you''re going to do this, why not just set the TTL
to 100y and be done with it?

Doesn''t help old systems, but certainly fixes new ones without the
need for constant re-signing.

Trevor

On Thu, Apr 28, 2011 at 10:30 AM, Matt Wise <wise@wiredgeek.net>
wrote:
> Unfortunately, this is still a ''missing feature'' of
Puppet IMO. I applaud
> Foreman for adding it as functionality though in their own code. For our
> situation, we ended up writing our own CGI script on the Puppet CA servers
> as well as a client-side script that runs periodically on the clients to
> verify whether or not their cert is still valid. When their cert gets
> close-to-expiring, it checks in with the CGI script and supplies the
> original CSR that the host used for its first cert request to puppet. Our
> CGI script then has permissions to run some openssl commands, and generates
> a whole new cert for the client and passes it back. This all happens over
> SSL of course, and is only allowed for clients that still have a valid
> certificate anyways. Its not pretty, but its how we solved the problem...
> and its worked so far. We have ~600 hosts and they each get a new cert
every
> 25 days.
> Ideally there would be this functionality built into puppet... when a
client
> checked in, the server would check if the cert is within X days of
expiring.
> If it is, it would generate a new cert and pass it back to the client
> automatically. Of course this would be an ''option'', but
it seems like an
> obvious feature addition.
> I looked and could not find an actual bug report requesting this
> functionality explicitly, so I opened one:
> http://projects.puppetlabs.com/issues/7272
>
> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>
>
> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mccann@usps.gov>
> wrote:
>>
>> OK, just had to post this!  I found a solution to my issues that may
>> help others.
>>
>> http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> fyi - as the original author of that script... the same functionality
exists
> within foreman.
> Ohad
>>
>> Basically a CGI script located on you CA Server.  You can pass the
>> hostname/certname that you want to clean via http to the script and
>> have it clean it off the CA Server.  More details in the link above.
>> This is working great for me and I''ll be using it until
similar
>> functionality is included by default in puppet.
>>
>> Regards,
>> Jake
>>
>> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
>> > Nevermind, looks like its in 2.7.0rc1
>> >
>> >
http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
>> > cb01221 (#3360) Add an allow_duplicate_certs option
>> >
>> > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > > Thanks for the reply.  I''m just starting to
understand puppet, so I
>> > > would like not to mess with that ... yet.  It does look very
>> > > interesting though, so thanks for bringing that up.
>> >
>> > > Derek,
>> >
>> > > Thanks for the bug.  That looks like it includes some things
that I
>> > > would like ... like the allow duplicate cert and whatnot.  It
looks
>> > > like its status closed as of 14 hours ago.  Does that mean it
is in
>> > > some release of puppet now, or just that code it ready to
eventually
>> > > be implemented?  I''d like to start trying it out
right away as my
>> > > ''solution'' doesn''t seem to work
well with dashboard.
>> >
>> > > Thanks,
>> > >Jake
>> >
>> > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com>
wrote:
>> >
>> > > > On Thu, Apr 14, 2011 at 4:31
>> > > > PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
>> >
>> > > > > Also, what is foreman and how could it help.  Not
familiar with
>> > > > > that
>> > > > > product.
>> >
>> > > > Foreman takes care for the entire process, things like
provisioning,
>> > > > class
>> > > > assignments and reportings are all done though it (and
many many
>> > > > other
>> > > > features).
>> >
>> > > > see  http://theforeman.orgformoredetails.
>> >
>> > > > Ohad
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Yea, I''m new to puppet ... sounds like now I have to worry about certs
eventually expiring and regenerate/sign them to keep nodes happy?

Seems Trevor suggests increasing TTL.  How can I do this if I wanted
to?

Thanks,
Jake

On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net>
wrote:
> Unfortunately, this is still a ''missing feature'' of
Puppet IMO. I applaud Foreman for adding it as functionality though in their own
code. For our situation, we ended up writing our own CGI script on the Puppet CA
servers as well as a client-side script that runs periodically on the clients to
verify whether or not their cert is still valid. When their cert gets
close-to-expiring, it checks in with the CGI script and supplies the original
CSR that the host used for its first cert request to puppet. Our CGI script then
has permissions to run some openssl commands, and generates a whole new cert for
the client and passes it back. This all happens over SSL of course, and is only
allowed for clients that still have a valid certificate anyways. Its not pretty,
but its how we solved the problem... and its worked so far. We have ~600 hosts
and they each get a new cert every 25 days.
>
> Ideally there would be this functionality built into puppet... when a
client checked in, the server would check if the cert is within X days of
expiring. If it is, it would generate a new cert and pass it back to the client
automatically. Of course this would be an ''option'', but it
seems like an obvious feature addition.
>
> I looked and could not find an actual bug report requesting this
functionality explicitly, so I opened one:
>
> http://projects.puppetlabs.com/issues/7272
>
> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>
>
>
>
>
>
>
>
>
> > On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> > OK, just had to post this!  I found a solution to my issues that may
> > help others.
>
> >http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> > fyi - as the original author of that script... the same functionality
exists within foreman.
>
> > Ohad
>
> > Basically a CGI script located on you CA Server.  You can pass the
> > hostname/certname that you want to clean via http to the script and
> > have it clean it off the CA Server.  More details in the link above.
> > This is working great for me and I''ll be using it until
similar
> > functionality is included by default in puppet.
>
> > Regards,
> > Jake
>
> > On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
> > > Nevermind, looks like its in 2.7.0rc1
>
> >
>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > > cb01221 (#3360) Add an allow_duplicate_certs option
>
> > > On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov>
wrote:
>
> > > > Thanks for the reply.  I''m just starting to
understand puppet, so I
> > > > would like not to mess with that ... yet.  It does look very
> > > > interesting though, so thanks for bringing that up.
>
> > > > Derek,
>
> > > > Thanks for the bug.  That looks like it includes some things
that I
> > > > would like ... like the allow duplicate cert and whatnot.
 It looks
> > > > like its status closed as of 14 hours ago.  Does that mean
it is in
> > > > some release of puppet now, or just that code it ready to
eventually
> > > > be implemented?  I''d like to start trying it out
right away as my
> > > > ''solution'' doesn''t seem to work
well with dashboard.
>
> > > > Thanks,
> > > >Jake
>
> > > > On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com>
wrote:
>
> > > > > On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
>
> > > > > > Also, what is foreman and how could it help.  Not
familiar with that
> > > > > > product.
>
> > > > > Foreman takes care for the entire process, things like
provisioning, class
> > > > > assignments and reportings are all done though it (and
many many other
> > > > > features).
>
> > > > > see  http://theforeman.orgformoredetails.
>
> > > > > Ohad
>
> > --
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

the ttl setting is ''ca_ttl'' i think in puppet.conf.. and yes,
you''ll ultimately need to re-sign the certs for clients when they
expire. the default is 1 year though, so it[ll be a while.
On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
> Yea, I''m new to puppet ... sounds like now I have to worry about
certs
> eventually expiring and regenerate/sign them to keep nodes happy?
> 
> Seems Trevor suggests increasing TTL.  How can I do this if I wanted
> to?
> 
> Thanks,
> Jake
> 
> On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net> wrote:
>> Unfortunately, this is still a ''missing feature'' of
Puppet IMO. I applaud Foreman for adding it as functionality though in their own
code. For our situation, we ended up writing our own CGI script on the Puppet CA
servers as well as a client-side script that runs periodically on the clients to
verify whether or not their cert is still valid. When their cert gets
close-to-expiring, it checks in with the CGI script and supplies the original
CSR that the host used for its first cert request to puppet. Our CGI script then
has permissions to run some openssl commands, and generates a whole new cert for
the client and passes it back. This all happens over SSL of course, and is only
allowed for clients that still have a valid certificate anyways. Its not pretty,
but its how we solved the problem... and its worked so far. We have ~600 hosts
and they each get a new cert every 25 days.
>> 
>> Ideally there would be this functionality built into puppet... when a
client checked in, the server would check if the cert is within X days of
expiring. If it is, it would generate a new cert and pass it back to the client
automatically. Of course this would be an ''option'', but it
seems like an obvious feature addition.
>> 
>> I looked and could not find an actual bug report requesting this
functionality explicitly, so I opened one:
>> 
>> http://projects.puppetlabs.com/issues/7272
>> 
>> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
>>> OK, just had to post this!  I found a solution to my issues that
may
>>> help others.
>> 
>>> http://glarizza.posterous.com/managing-puppet-ssl-certificates
>> 
>>> fyi - as the original author of that script... the same
functionality exists within foreman.
>> 
>>> Ohad
>> 
>>> Basically a CGI script located on you CA Server.  You can pass the
>>> hostname/certname that you want to clean via http to the script and
>>> have it clean it off the CA Server.  More details in the link
above.
>>> This is working great for me and I''ll be using it until
similar
>>> functionality is included by default in puppet.
>> 
>>> Regards,
>>> Jake
>> 
>>> On Apr 14, 8:50 am, Jake - USPS <jacob.m.mcc...@usps.gov>
wrote:
>>>> Nevermind, looks like its in 2.7.0rc1
>> 
>>>>
http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
>>>> cb01221 (#3360) Add an allow_duplicate_certs option
>> 
>>>> On Apr 14, 8:45 am,Jake-USPS<jacob.m.mcc...@usps.gov>
wrote:
>> 
>>>>> Thanks for the reply.  I''m just starting to
understand puppet, so I
>>>>> would like not to mess with that ... yet.  It does look
very
>>>>> interesting though, so thanks for bringing that up.
>> 
>>>>> Derek,
>> 
>>>>> Thanks for the bug.  That looks like it includes some
things that I
>>>>> would like ... like the allow duplicate cert and whatnot. 
It looks
>>>>> like its status closed as of 14 hours ago.  Does that mean
it is in
>>>>> some release of puppet now, or just that code it ready to
eventually
>>>>> be implemented?  I''d like to start trying it out
right away as my
>>>>> ''solution'' doesn''t seem to work
well with dashboard.
>> 
>>>>> Thanks,
>>>>> Jake
>> 
>>>>> On Apr 14, 8:41 am, Ohad Levy <ohadl...@gmail.com>
wrote:
>> 
>>>>>> On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
>> 
>>>>>>> Also, what is foreman and how could it help.  Not
familiar with that
>>>>>>> product.
>> 
>>>>>> Foreman takes care for the entire process, things like
provisioning, class
>>>>>> assignments and reportings are all done though it (and
many many other
>>>>>> features).
>> 
>>>>>> see  http://theforeman.orgformoredetails.
>> 
>>>>>> Ohad
>> 
>>> --
>>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
>> 
>>> --
>>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the response.  I found it in the genconf now.  Looks like
default is 5y.  I''ll be changing it for my needs.

Thanks!
Jake

On May 3, 12:53 pm, Matt Wise <w...@wiredgeek.net>
wrote:
> the ttl setting is ''ca_ttl'' i think in puppet.conf.. and
yes, you''ll ultimately need to re-sign the certs for clients when they
expire. the default is 1 year though, so it[ll be a while.
> On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
>
>
>
>
>
>
>
> > Yea, I''m new to puppet ... sounds like now I have to worry
about certs
> > eventually expiring and regenerate/sign them to keep nodes happy?
>
> > Seems Trevor suggests increasing TTL.  How can I do this if I wanted
> > to?
>
> > Thanks,
> > Jake
>
> > On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net> wrote:
> >> Unfortunately, this is still a ''missing feature''
of Puppet IMO. I applaud Foreman for adding it as functionality though in their
own code. For our situation, we ended up writing our own CGI script on the
Puppet CA servers as well as a client-side script that runs periodically on the
clients to verify whether or not their cert is still valid. When their cert gets
close-to-expiring, it checks in with the CGI script and supplies the original
CSR that the host used for its first cert request to puppet. Our CGI script then
has permissions to run some openssl commands, and generates a whole new cert for
the client and passes it back. This all happens over SSL of course, and is only
allowed for clients that still have a valid certificate anyways. Its not pretty,
but its how we solved the problem... and its worked so far. We have ~600 hosts
and they each get a new cert every 25 days.
>
> >> Ideally there would be this functionality built into puppet...
when a client checked in, the server would check if the cert is within X days of
expiring. If it is, it would generate a new cert and pass it back to the client
automatically. Of course this would be an ''option'', but it
seems like an obvious feature addition.
>
> >> I looked and could not find an actual bug report requesting this
functionality explicitly, so I opened one:
>
> >>http://projects.puppetlabs.com/issues/7272
>
> >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>
> >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> >>> OK, just had to post this!  I found a solution to my issues
that may
> >>> help others.
>
> >>>http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> >>> fyi - as the original author of that script... the same
functionality exists within foreman.
>
> >>> Ohad
>
> >>> Basically a CGI script located on you CA Server.  You can pass
the
> >>> hostname/certname that you want to clean via http to the
script and
> >>> have it clean it off the CA Server.  More details in the link
above.
> >>> This is working great for me and I''ll be using it
until similar
> >>> functionality is included by default in puppet.
>
> >>> Regards,
> >>> Jake
>
> >>> On Apr 14, 8:50 am, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> >>>> Nevermind, looks like its in 2.7.0rc1
>
>
>>>>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> >>>> cb01221 (#3360) Add an allow_duplicate_certs option
>
> >>>> On Apr 14, 8:45
am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
>
> >>>>> Thanks for the reply.  I''m just starting to
understand puppet, so I
> >>>>> would like not to mess with that ... yet.  It does
look very
> >>>>> interesting though, so thanks for bringing that up.
>
> >>>>> Derek,
>
> >>>>> Thanks for the bug.  That looks like it includes some
things that I
> >>>>> would like ... like the allow duplicate cert and
whatnot.  It looks
> >>>>> like its status closed as of 14 hours ago.  Does that
mean it is in
> >>>>> some release of puppet now, or just that code it ready
to eventually
> >>>>> be implemented?  I''d like to start trying it
out right away as my
> >>>>> ''solution'' doesn''t seem to
work well with dashboard.
>
> >>>>> Thanks,
> >>>>> Jake
>
> >>>>> On Apr 14, 8:41 am, Ohad Levy
<ohadl...@gmail.com> wrote:
>
> >>>>>> On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov>wrote:
>
> >>>>>>> Also, what is foreman and how could it help.
 Not familiar with that
> >>>>>>> product.
>
> >>>>>> Foreman takes care for the entire process, things
like provisioning, class
> >>>>>> assignments and reportings are all done though it
(and many many other
> >>>>>> features).
>
> >>>>>> see  http://theforeman.orgformoredetails.
>
> >>>>>> Ohad
>
> >>> --
> >>> You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
> >>> To post to this group, send email to
puppet-users@googlegroups.com.
> >>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> >>> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
>
> >>> --
> >>> You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
> >>> To post to this group, send email to
puppet-users@googlegroups.com.
> >>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> >>> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, May 3, 2011 at 9:29 PM, Jake - USPS <jacob.m.mccann@usps.gov>
wrote:
> Thanks for the response.  I found it in the genconf now.  Looks like
> default is 5y.  I''ll be changing it for my needs.
>
> note that the CA itself is signed for 5 years too... (and it seems that the
CRL as well - which is wrong).

Ohad

> Thanks!
> Jake
>
> On May 3, 12:53 pm, Matt Wise <w...@wiredgeek.net> wrote:
> > the ttl setting is ''ca_ttl'' i think in puppet.conf..
and yes, you''ll
> ultimately need to re-sign the certs for clients when they expire. the
> default is 1 year though, so it[ll be a while.
> > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
> >
> >
> >
> >
> >
> >
> >
> > > Yea, I''m new to puppet ... sounds like now I have to
worry about certs
> > > eventually expiring and regenerate/sign them to keep nodes happy?
> >
> > > Seems Trevor suggests increasing TTL.  How can I do this if I
wanted
> > > to?
> >
> > > Thanks,
> > > Jake
> >
> > > On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net> wrote:
> > >> Unfortunately, this is still a ''missing
feature'' of Puppet IMO. I
> applaud Foreman for adding it as functionality though in their own code.
For
> our situation, we ended up writing our own CGI script on the Puppet CA
> servers as well as a client-side script that runs periodically on the
> clients to verify whether or not their cert is still valid. When their cert
> gets close-to-expiring, it checks in with the CGI script and supplies the
> original CSR that the host used for its first cert request to puppet. Our
> CGI script then has permissions to run some openssl commands, and generates
> a whole new cert for the client and passes it back. This all happens over
> SSL of course, and is only allowed for clients that still have a valid
> certificate anyways. Its not pretty, but its how we solved the problem...
> and its worked so far. We have ~600 hosts and they each get a new cert
every
> 25 days.
> >
> > >> Ideally there would be this functionality built into
puppet... when a
> client checked in, the server would check if the cert is within X days of
> expiring. If it is, it would generate a new cert and pass it back to the
> client automatically. Of course this would be an
''option'', but it seems like
> an obvious feature addition.
> >
> > >> I looked and could not find an actual bug report requesting
this
> functionality explicitly, so I opened one:
> >
> > >>http://projects.puppetlabs.com/issues/7272
> >
> > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
> >
> > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <
> jacob.m.mcc...@usps.gov> wrote:
> > >>> OK, just had to post this!  I found a solution to my
issues that may
> > >>> help others.
> >
> >
>>>http://glarizza.posterous.com/managing-puppet-ssl-certificates
> >
> > >>> fyi - as the original author of that script... the same
functionality
> exists within foreman.
> >
> > >>> Ohad
> >
> > >>> Basically a CGI script located on you CA Server.  You can
pass the
> > >>> hostname/certname that you want to clean via http to the
script and
> > >>> have it clean it off the CA Server.  More details in the
link above.
> > >>> This is working great for me and I''ll be using
it until similar
> > >>> functionality is included by default in puppet.
> >
> > >>> Regards,
> > >>> Jake
> >
> > >>> On Apr 14, 8:50 am, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> > >>>> Nevermind, looks like its in 2.7.0rc1
> >
> > >>>>
> http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > >>>> cb01221 (#3360) Add an allow_duplicate_certs option
> >
> > >>>> On Apr 14, 8:45
am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
> >
> > >>>>> Thanks for the reply.  I''m just starting
to understand puppet, so I
> > >>>>> would like not to mess with that ... yet.  It
does look very
> > >>>>> interesting though, so thanks for bringing that
up.
> >
> > >>>>> Derek,
> >
> > >>>>> Thanks for the bug.  That looks like it includes
some things that I
> > >>>>> would like ... like the allow duplicate cert and
whatnot.  It looks
> > >>>>> like its status closed as of 14 hours ago.  Does
that mean it is in
> > >>>>> some release of puppet now, or just that code it
ready to
> eventually
> > >>>>> be implemented?  I''d like to start
trying it out right away as my
> > >>>>> ''solution'' doesn''t
seem to work well with dashboard.
> >
> > >>>>> Thanks,
> > >>>>> Jake
> >
> > >>>>> On Apr 14, 8:41 am, Ohad Levy
<ohadl...@gmail.com> wrote:
> >
> > >>>>>> On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov
> >wrote:
> >
> > >>>>>>> Also, what is foreman and how could it
help.  Not familiar with
> that
> > >>>>>>> product.
> >
> > >>>>>> Foreman takes care for the entire process,
things like
> provisioning, class
> > >>>>>> assignments and reportings are all done
though it (and many many
> other
> > >>>>>> features).
> >
> > >>>>>> see  http://theforeman.orgformoredetails.
> >
> > >>>>>> Ohad
> >
> > >>> --
> > >>> You received this message because you are subscribed to
the Google
> Groups "Puppet Users" group.
> > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > >>> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> > >>> For more options, visit this group athttp://
> groups.google.com/group/puppet-users?hl=en.
> >
> > >>> --
> > >>> You received this message because you are subscribed to
the Google
> Groups "Puppet Users" group.
> > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > >>> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> > >>> For more options, visit this group athttp://
> groups.google.com/group/puppet-users?hl=en.
> >
> > > --
> > > You received this message because you are subscribed to the
Google
> Groups "Puppet Users" group.
> > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> > > For more options, visit this group athttp://
> groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

So does that mean those will be update as well (if ca_ttl is set
before they are generated) or are they 5y regardless and using
anything higher then 5y does not matter?  Or are you just throwing a
fact out there and it doesn''t matter to me and I''ll be OK?


Thanks,
Jake

On May 3, 3:30 pm, Ohad Levy <ohadl...@gmail.com>
wrote:
> On Tue, May 3, 2011 at 9:29 PM, Jake - USPS <jacob.m.mcc...@usps.gov>
wrote:
>
> > Thanks for the response.  I found it in the genconf now.  Looks like
> > default is 5y.  I''ll be changing it for my needs.
>
> > note that the CA itself is signed for 5 years too... (and it seems
that the
>
> CRL as well - which is wrong).
>
> Ohad
>
>
>
>
>
>
>
> > Thanks!
> > Jake
>
> > On May 3, 12:53 pm, Matt Wise <w...@wiredgeek.net> wrote:
> > > the ttl setting is ''ca_ttl'' i think in
puppet.conf.. and yes, you''ll
> > ultimately need to re-sign the certs for clients when they expire. the
> > default is 1 year though, so it[ll be a while.
> > > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
>
> > > > Yea, I''m new to puppet ... sounds like now I have
to worry about certs
> > > > eventually expiring and regenerate/sign them to keep nodes
happy?
>
> > > > Seems Trevor suggests increasing TTL.  How can I do this if
I wanted
> > > > to?
>
> > > > Thanks,
> > > > Jake
>
> > > > On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net>
wrote:
> > > >> Unfortunately, this is still a ''missing
feature'' of Puppet IMO. I
> > applaud Foreman for adding it as functionality though in their own
code. For
> > our situation, we ended up writing our own CGI script on the Puppet CA
> > servers as well as a client-side script that runs periodically on the
> > clients to verify whether or not their cert is still valid. When their
cert
> > gets close-to-expiring, it checks in with the CGI script and supplies
the
> > original CSR that the host used for its first cert request to puppet.
Our
> > CGI script then has permissions to run some openssl commands, and
generates
> > a whole new cert for the client and passes it back. This all happens
over
> > SSL of course, and is only allowed for clients that still have a valid
> > certificate anyways. Its not pretty, but its how we solved the
problem...
> > and its worked so far. We have ~600 hosts and they each get a new cert
every
> > 25 days.
>
> > > >> Ideally there would be this functionality built into
puppet... when a
> > client checked in, the server would check if the cert is within X days
of
> > expiring. If it is, it would generate a new cert and pass it back to
the
> > client automatically. Of course this would be an
''option'', but it seems like
> > an obvious feature addition.
>
> > > >> I looked and could not find an actual bug report
requesting this
> > functionality explicitly, so I opened one:
>
> > > >>http://projects.puppetlabs.com/issues/7272
>
> > > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>
> > > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <
> > jacob.m.mcc...@usps.gov> wrote:
> > > >>> OK, just had to post this!  I found a solution to my
issues that may
> > > >>> help others.
>
> > >
>>>http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> > > >>> fyi - as the original author of that script... the
same functionality
> > exists within foreman.
>
> > > >>> Ohad
>
> > > >>> Basically a CGI script located on you CA Server.
 You can pass the
> > > >>> hostname/certname that you want to clean via http to
the script and
> > > >>> have it clean it off the CA Server.  More details in
the link above.
> > > >>> This is working great for me and I''ll be
using it until similar
> > > >>> functionality is included by default in puppet.
>
> > > >>> Regards,
> > > >>> Jake
>
> > > >>> On Apr 14, 8:50 am, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> > > >>>> Nevermind, looks like its in 2.7.0rc1
>
>
>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > > >>>> cb01221 (#3360) Add an allow_duplicate_certs
option
>
> > > >>>> On Apr 14, 8:45
am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
>
> > > >>>>> Thanks for the reply.  I''m just
starting to understand puppet, so I
> > > >>>>> would like not to mess with that ... yet.
 It does look very
> > > >>>>> interesting though, so thanks for bringing
that up.
>
> > > >>>>> Derek,
>
> > > >>>>> Thanks for the bug.  That looks like it
includes some things that I
> > > >>>>> would like ... like the allow duplicate cert
and whatnot.  It looks
> > > >>>>> like its status closed as of 14 hours ago.
 Does that mean it is in
> > > >>>>> some release of puppet now, or just that
code it ready to
> > eventually
> > > >>>>> be implemented?  I''d like to start
trying it out right away as my
> > > >>>>> ''solution''
doesn''t seem to work well with dashboard.
>
> > > >>>>> Thanks,
> > > >>>>> Jake
>
> > > >>>>> On Apr 14, 8:41 am, Ohad Levy
<ohadl...@gmail.com> wrote:
>
> > > >>>>>> On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov
> > >wrote:
>
> > > >>>>>>> Also, what is foreman and how could
it help.  Not familiar with
> > that
> > > >>>>>>> product.
>
> > > >>>>>> Foreman takes care for the entire
process, things like
> > provisioning, class
> > > >>>>>> assignments and reportings are all done
though it (and many many
> > other
> > > >>>>>> features).
>
> > > >>>>>> see
 http://theforeman.orgformoredetails.
>
> > > >>>>>> Ohad
>
> > > >>> --
> > > >>> You received this message because you are subscribed
to the Google
> > Groups "Puppet Users" group.
> > > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > > >>> To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > >>> For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > > >>> --
> > > >>> You received this message because you are subscribed
to the Google
> > Groups "Puppet Users" group.
> > > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > > >>> To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > >>> For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > > > --
> > > > You received this message because you are subscribed to the
Google
> > Groups "Puppet Users" group.
> > > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > > For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I responded to this last night but don''t see my reply still this
morning so I''m going to respond again.

I had a question about if the CA and CRL being signed for 5 years is
static or also controlled by ca_ttl.  If they are 5y regardless/
static, is there some sort of action I need to take when they expire
or does puppet take care of them automatically?  Just want to make
sure whether upping ca_ttl is good enough for me or if there are other
things I need to potentially be aware of.

Thanks,
Jake

On May 3, 3:30 pm, Ohad Levy <ohadl...@gmail.com>
wrote:
> On Tue, May 3, 2011 at 9:29 PM, Jake - USPS <jacob.m.mcc...@usps.gov>
wrote:
>
> > Thanks for the response.  I found it in the genconf now.  Looks like
> > default is 5y.  I''ll be changing it for my needs.
>
> > note that the CA itself is signed for 5 years too... (and it seems
that the
>
> CRL as well - which is wrong).
>
> Ohad
>
>
>
>
>
>
>
> > Thanks!
> > Jake
>
> > On May 3, 12:53 pm, Matt Wise <w...@wiredgeek.net> wrote:
> > > the ttl setting is ''ca_ttl'' i think in
puppet.conf.. and yes, you''ll
> > ultimately need to re-sign the certs for clients when they expire. the
> > default is 1 year though, so it[ll be a while.
> > > On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote:
>
> > > > Yea, I''m new to puppet ... sounds like now I have
to worry about certs
> > > > eventually expiring and regenerate/sign them to keep nodes
happy?
>
> > > > Seems Trevor suggests increasing TTL.  How can I do this if
I wanted
> > > > to?
>
> > > > Thanks,
> > > > Jake
>
> > > > On Apr 28, 9:30 am, Matt Wise <w...@wiredgeek.net>
wrote:
> > > >> Unfortunately, this is still a ''missing
feature'' of Puppet IMO. I
> > applaud Foreman for adding it as functionality though in their own
code. For
> > our situation, we ended up writing our own CGI script on the Puppet CA
> > servers as well as a client-side script that runs periodically on the
> > clients to verify whether or not their cert is still valid. When their
cert
> > gets close-to-expiring, it checks in with the CGI script and supplies
the
> > original CSR that the host used for its first cert request to puppet.
Our
> > CGI script then has permissions to run some openssl commands, and
generates
> > a whole new cert for the client and passes it back. This all happens
over
> > SSL of course, and is only allowed for clients that still have a valid
> > certificate anyways. Its not pretty, but its how we solved the
problem...
> > and its worked so far. We have ~600 hosts and they each get a new cert
every
> > 25 days.
>
> > > >> Ideally there would be this functionality built into
puppet... when a
> > client checked in, the server would check if the cert is within X days
of
> > expiring. If it is, it would generate a new cert and pass it back to
the
> > client automatically. Of course this would be an
''option'', but it seems like
> > an obvious feature addition.
>
> > > >> I looked and could not find an actual bug report
requesting this
> > functionality explicitly, so I opened one:
>
> > > >>http://projects.puppetlabs.com/issues/7272
>
> > > >> On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote:
>
> > > >>> On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS <
> > jacob.m.mcc...@usps.gov> wrote:
> > > >>> OK, just had to post this!  I found a solution to my
issues that may
> > > >>> help others.
>
> > >
>>>http://glarizza.posterous.com/managing-puppet-ssl-certificates
>
> > > >>> fyi - as the original author of that script... the
same functionality
> > exists within foreman.
>
> > > >>> Ohad
>
> > > >>> Basically a CGI script located on you CA Server.
 You can pass the
> > > >>> hostname/certname that you want to clean via http to
the script and
> > > >>> have it clean it off the CA Server.  More details in
the link above.
> > > >>> This is working great for me and I''ll be
using it until similar
> > > >>> functionality is included by default in puppet.
>
> > > >>> Regards,
> > > >>> Jake
>
> > > >>> On Apr 14, 8:50 am, Jake - USPS
<jacob.m.mcc...@usps.gov> wrote:
> > > >>>> Nevermind, looks like its in 2.7.0rc1
>
>
>http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5...
> > > >>>> cb01221 (#3360) Add an allow_duplicate_certs
option
>
> > > >>>> On Apr 14, 8:45
am,Jake-USPS<jacob.m.mcc...@usps.gov> wrote:
>
> > > >>>>> Thanks for the reply.  I''m just
starting to understand puppet, so I
> > > >>>>> would like not to mess with that ... yet.
 It does look very
> > > >>>>> interesting though, so thanks for bringing
that up.
>
> > > >>>>> Derek,
>
> > > >>>>> Thanks for the bug.  That looks like it
includes some things that I
> > > >>>>> would like ... like the allow duplicate cert
and whatnot.  It looks
> > > >>>>> like its status closed as of 14 hours ago.
 Does that mean it is in
> > > >>>>> some release of puppet now, or just that
code it ready to
> > eventually
> > > >>>>> be implemented?  I''d like to start
trying it out right away as my
> > > >>>>> ''solution''
doesn''t seem to work well with dashboard.
>
> > > >>>>> Thanks,
> > > >>>>> Jake
>
> > > >>>>> On Apr 14, 8:41 am, Ohad Levy
<ohadl...@gmail.com> wrote:
>
> > > >>>>>> On Thu, Apr 14, 2011 at 4:31
PM,Jake-USPS<jacob.m.mcc...@usps.gov
> > >wrote:
>
> > > >>>>>>> Also, what is foreman and how could
it help.  Not familiar with
> > that
> > > >>>>>>> product.
>
> > > >>>>>> Foreman takes care for the entire
process, things like
> > provisioning, class
> > > >>>>>> assignments and reportings are all done
though it (and many many
> > other
> > > >>>>>> features).
>
> > > >>>>>> see
 http://theforeman.orgformoredetails.
>
> > > >>>>>> Ohad
>
> > > >>> --
> > > >>> You received this message because you are subscribed
to the Google
> > Groups "Puppet Users" group.
> > > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > > >>> To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > >>> For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > > >>> --
> > > >>> You received this message because you are subscribed
to the Google
> > Groups "Puppet Users" group.
> > > >>> To post to this group, send email to
puppet-users@googlegroups.com.
> > > >>> To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > >>> For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > > > --
> > > > You received this message because you are subscribed to the
Google
> > Groups "Puppet Users" group.
> > > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > > > For more options, visit this group athttp://
> > groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, May 4, 2011 at 2:39 PM, Jake - USPS <jacob.m.mccann@usps.gov>
wrote:
> I responded to this last night but don''t see my reply still this
> morning so I''m going to respond again.
>
For some reason Google Groups thought your message was spam. I just sent it
through.

> I had a question about if the CA and CRL being signed for 5 years is
> static or also controlled by ca_ttl.  If they are 5y regardless/
> static, is there some sort of action I need to take when they expire
> or does puppet take care of them automatically?  Just want to make
> sure whether upping ca_ttl is good enough for me or if there are other
> things I need to potentially be aware of.
>
Puppet doesn''t take care of them automatically. We''ve seen a
few different
methods for automating the renewal process, but we''re lacking a
definitive
guide, which we should all get together.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.