Jake - USPS
2011-Apr-14 14:37 UTC
[Puppet Users] allow_duplicate_certs = true not working?
I saw this feature became available in 2.7.0rc1 and wanted to try it out. I entered ''allow_duplicate_certs = true'' on both my master and agent systems in the puppet.conf (not sure if its need in both, saw it in genconf for puppetd and puppetmasterd though ...). I also have autosign.conf configured to allow autosigning for our domain (*.domain.com). I had my agent register with the master for the first time, works good (always has ;). Now on my agent I removed the ssl directory. Do another test run, it generates new certs on the agent system and tries to communicate with the master. I then receive the following error on the agent: info: /User[puppet]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ puppet/ssl) notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 events info: /File[/etc/puppet/ssl/private]: Scheduling refresh of (completed_/etc/puppet/ssl/private) notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' from 1 events info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ etc/puppet/ssl/certs) info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh of (completed_/etc/puppet/ssl/certificate_requests) notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: Triggered ''refresh'' from 1 events info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of (completed_/etc/puppet/ssl/private_keys) notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered ''refresh'' from 1 events info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of (completed_/etc/puppet/ssl/public_keys) notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' from 1 events info: Creating a new SSL key for XXX warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session info: Caching certificate for XXX err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Exiting; failed to retrieve certificate and waitforcert is disabled I guess I was expecting for this to work fine when ''allow_duplicate_certs = true''. Maybe I misconfigured something? Maybe I''m misunderstanding how allow_duplicate_certs behaves? Thanks! Jake -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dominic Maraglia
2011-Apr-14 16:35 UTC
Re: [Puppet Users] allow_duplicate_certs = true not working?
Jake, Can you please try the following step and see if these allows you to use duplicates certs? On your Puppet Master node: - Stop the Puppet Master daemon. - Restart your Puppet Master as follows: puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname -s):$(hostname -f)" --verbose --noop" On a Puppet Agent node: - Generate a cert: puppet certificate generate `hostname` --ca-location remote --server Name_of_Puppet_Master - Generate a second cert : puppet certificate generate `hostname` --ca-location remote --server Name_of_Puppet_Master I would quite interested to know the outcome of these step. Cheers, Dominic Maraglia On 4/14/11 7:37 AM, Jake - USPS wrote:> I saw this feature became available in 2.7.0rc1 and wanted to try it > out. I entered ''allow_duplicate_certs = true'' on both my master and > agent systems in the puppet.conf (not sure if its need in both, saw it > in genconf for puppetd and puppetmasterd though ...). I also have > autosign.conf configured to allow autosigning for our domain > (*.domain.com). I had my agent register with the master for the first > time, works good (always has ;). Now on my agent I removed the ssl > directory. Do another test run, it generates new certs on the agent > system and tries to communicate with the master. I then receive the > following error on the agent: > > info: /User[puppet]: Provider useradd does not support features > manages_aix_lam; not managing attribute ia_load_module > info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ > puppet/ssl) > notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 > events > info: /File[/etc/puppet/ssl/private]: Scheduling refresh of > (completed_/etc/puppet/ssl/private) > notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' > from 1 events > info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ > etc/puppet/ssl/certs) > info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh > of (completed_/etc/puppet/ssl/certificate_requests) > notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: > Triggered ''refresh'' from 1 events > info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of > (completed_/etc/puppet/ssl/private_keys) > notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered > ''refresh'' from 1 events > info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of > (completed_/etc/puppet/ssl/public_keys) > notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered > ''refresh'' from 1 events > notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' > from 1 events > info: Creating a new SSL key for XXX > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for XXX > err: Could not request certificate: Retrieved certificate does not > match private key; please remove certificate from server and > regenerate it with the current key > Exiting; failed to retrieve certificate and waitforcert is disabled > > I guess I was expecting for this to work fine when > ''allow_duplicate_certs = true''. Maybe I misconfigured something? > Maybe I''m misunderstanding how allow_duplicate_certs behaves? > > Thanks! > Jake >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jake - USPS
2011-Apr-14 17:33 UTC
[Puppet Users] Re: allow_duplicate_certs = true not working?
I can give that a try ... does that mean I wouldn''t be able to use passenger like I currently am to get this to work? I''ll let you know of my results shortly. Regards, Jake On Apr 14, 11:35 am, Dominic Maraglia <domi...@puppetlabs.com> wrote:> Jake, > > Can you please try the following step and see if these allows you to use > duplicates certs? > > On your Puppet Master node: > > - Stop the Puppet Master daemon. > - Restart your Puppet Master as follows: > puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname > -s):$(hostname -f)" --verbose --noop" > > On a Puppet Agent node: > > - Generate a cert: > puppet certificate generate `hostname` --ca-location remote --server > Name_of_Puppet_Master > > - Generate a second cert : > puppet certificate generate `hostname` --ca-location remote --server > Name_of_Puppet_Master > > I would quite interested to know the outcome of these step. > > Cheers, > > Dominic Maraglia > > On 4/14/11 7:37 AM, Jake - USPS wrote: > > > > > > > > > I saw this feature became available in 2.7.0rc1 and wanted to try it > > out. I entered ''allow_duplicate_certs = true'' on both my master and > > agent systems in the puppet.conf (not sure if its need in both, saw it > > in genconf for puppetd and puppetmasterd though ...). I also have > > autosign.conf configured to allow autosigning for our domain > > (*.domain.com). I had my agent register with the master for the first > > time, works good (always has ;). Now on my agent I removed the ssl > > directory. Do another test run, it generates new certs on the agent > > system and tries to communicate with the master. I then receive the > > following error on the agent: > > > info: /User[puppet]: Provider useradd does not support features > > manages_aix_lam; not managing attribute ia_load_module > > info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ > > puppet/ssl) > > notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 > > events > > info: /File[/etc/puppet/ssl/private]: Scheduling refresh of > > (completed_/etc/puppet/ssl/private) > > notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' > > from 1 events > > info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ > > etc/puppet/ssl/certs) > > info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh > > of (completed_/etc/puppet/ssl/certificate_requests) > > notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: > > Triggered ''refresh'' from 1 events > > info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of > > (completed_/etc/puppet/ssl/private_keys) > > notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered > > ''refresh'' from 1 events > > info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of > > (completed_/etc/puppet/ssl/public_keys) > > notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered > > ''refresh'' from 1 events > > notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' > > from 1 events > > info: Creating a new SSL key for XXX > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for XXX > > err: Could not request certificate: Retrieved certificate does not > > match private key; please remove certificate from server and > > regenerate it with the current key > > Exiting; failed to retrieve certificate and waitforcert is disabled > > > I guess I was expecting for this to work fine when > > ''allow_duplicate_certs = true''. Maybe I misconfigured something? > > Maybe I''m misunderstanding how allow_duplicate_certs behaves? > > > Thanks! > > Jake-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jake - USPS
2011-Apr-14 17:42 UTC
[Puppet Users] Re: allow_duplicate_certs = true not working?
Here is the output: eagnmnmbpe20:/etc/puppet # puppet certificate generate `hostname` --ca- location remote --server eagnmnmbpe26.usps.gov --masterport 9443 notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' from 1 events warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session eagnmnmbpe20:/etc/puppet # puppet certificate generate `hostname` --ca- location remote --server eagnmnmbpe26.usps.gov --masterport 9443 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session eagnmnmbpe20:/etc/puppet # puppetd --test info: /User[puppet]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: Creating a new SSL key for eagnmnmbpe20.usps.gov warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for eagnmnmbpe20.usps.gov info: Certificate Request fingerprint (md5): 35:FF:A7:2B:15:2B:AA:BD: 4E:B7:33:58:D6:CF:3A:EA warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Caching certificate for eagnmnmbpe20.usps.gov info: Retrieving plugin info: Caching certificate_revocation_list for ca info: Loading facts in hcs_service info: Loading facts in buildinfo info: Loading facts in uspspuppetfacts info: Loading facts in memorysize info: Loading facts in network info: Loading facts in os_version info: Loading facts in hcs_service info: Loading facts in buildinfo info: Loading facts in uspspuppetfacts info: Loading facts in memorysize info: Loading facts in network info: Loading facts in os_version info: Caching catalog for eagnmnmbpe20.usps.gov info: /User[oracle]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: /User[oracrs]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: Applying configuration version ''1302802640'' notice: Finished catalog run in 3.76 seconds But if I then remove /etc/puppet/ssl and do it again (without cleaning the cert on master with puppetca --clean eagnmnmbpe20.usps.gov): eagnmnmbpe20:/etc/puppet # rm -rf ssl eagnmnmbpe20:/etc/puppet # puppet certificate generate `hostname` --ca- location remote --server eagnmnmbpe26.usps.gov --masterport 9443 notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered ''refresh'' from 1 events notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' from 1 events warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session eagnmnmbpe20:/etc/puppet # puppet certificate generate `hostname` --ca- location remote --server eagnmnmbpe26.usps.gov --masterport 9443 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session eagnmnmbpe20:/etc/puppet # puppetd --test info: /User[puppet]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: Creating a new SSL key for eagnmnmbpe20.usps.gov warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session info: Caching certificate for eagnmnmbpe20.usps.gov err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Exiting; failed to retrieve certificate and waitforcert is disabled So the ''puppet certificate'' commands on the agent seem OK, but a test run still fails. Thanks, Jake On Apr 14, 11:35 am, Dominic Maraglia <domi...@puppetlabs.com> wrote:> Jake, > > Can you please try the following step and see if these allows you to use > duplicates certs? > > On your Puppet Master node: > > - Stop the Puppet Master daemon. > - Restart your Puppet Master as follows: > puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname > -s):$(hostname -f)" --verbose --noop" > > On a Puppet Agent node: > > - Generate a cert: > puppet certificate generate `hostname` --ca-location remote --server > Name_of_Puppet_Master > > - Generate a second cert : > puppet certificate generate `hostname` --ca-location remote --server > Name_of_Puppet_Master > > I would quite interested to know the outcome of these step. > > Cheers, > > Dominic Maraglia > > On 4/14/11 7:37 AM, Jake - USPS wrote: > > > > > > > > > I saw this feature became available in 2.7.0rc1 and wanted to try it > > out. I entered ''allow_duplicate_certs = true'' on both my master and > > agent systems in the puppet.conf (not sure if its need in both, saw it > > in genconf for puppetd and puppetmasterd though ...). I also have > > autosign.conf configured to allow autosigning for our domain > > (*.domain.com). I had my agent register with the master for the first > > time, works good (always has ;). Now on my agent I removed the ssl > > directory. Do another test run, it generates new certs on the agent > > system and tries to communicate with the master. I then receive the > > following error on the agent: > > > info: /User[puppet]: Provider useradd does not support features > > manages_aix_lam; not managing attribute ia_load_module > > info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ > > puppet/ssl) > > notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 > > events > > info: /File[/etc/puppet/ssl/private]: Scheduling refresh of > > (completed_/etc/puppet/ssl/private) > > notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' > > from 1 events > > info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ > > etc/puppet/ssl/certs) > > info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh > > of (completed_/etc/puppet/ssl/certificate_requests) > > notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: > > Triggered ''refresh'' from 1 events > > info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of > > (completed_/etc/puppet/ssl/private_keys) > > notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered > > ''refresh'' from 1 events > > info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of > > (completed_/etc/puppet/ssl/public_keys) > > notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered > > ''refresh'' from 1 events > > notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' > > from 1 events > > info: Creating a new SSL key for XXX > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for XXX > > err: Could not request certificate: Retrieved certificate does not > > match private key; please remove certificate from server and > > regenerate it with the current key > > Exiting; failed to retrieve certificate and waitforcert is disabled > > > I guess I was expecting for this to work fine when > > ''allow_duplicate_certs = true''. Maybe I misconfigured something? > > Maybe I''m misunderstanding how allow_duplicate_certs behaves? > > > Thanks! > > Jake-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dominic Maraglia
2011-Apr-14 17:45 UTC
Re: [Puppet Users] Re: allow_duplicate_certs = true not working?
Jake, We are investigating additional uses cases for "allow_duplicate_certs" functionality; stay tuned for more information on this topic. In the meantime, we''d be very interested in your test results and a bit of information about your platform would be much appreciated at well. Cheers, Dominic On 4/14/11 10:33 AM, Jake - USPS wrote:> I can give that a try ... does that mean I wouldn''t be able to use > passenger like I currently am to get this to work? > > I''ll let you know of my results shortly. > > Regards, > Jake > > On Apr 14, 11:35 am, Dominic Maraglia<domi...@puppetlabs.com> wrote: >> Jake, >> >> Can you please try the following step and see if these allows you to use >> duplicates certs? >> >> On your Puppet Master node: >> >> - Stop the Puppet Master daemon. >> - Restart your Puppet Master as follows: >> puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname >> -s):$(hostname -f)" --verbose --noop" >> >> On a Puppet Agent node: >> >> - Generate a cert: >> puppet certificate generate `hostname` --ca-location remote --server >> Name_of_Puppet_Master >> >> - Generate a second cert : >> puppet certificate generate `hostname` --ca-location remote --server >> Name_of_Puppet_Master >> >> I would quite interested to know the outcome of these step. >> >> Cheers, >> >> Dominic Maraglia >> >> On 4/14/11 7:37 AM, Jake - USPS wrote: >> >> >> >> >> >> >> >>> I saw this feature became available in 2.7.0rc1 and wanted to try it >>> out. I entered ''allow_duplicate_certs = true'' on both my master and >>> agent systems in the puppet.conf (not sure if its need in both, saw it >>> in genconf for puppetd and puppetmasterd though ...). I also have >>> autosign.conf configured to allow autosigning for our domain >>> (*.domain.com). I had my agent register with the master for the first >>> time, works good (always has ;). Now on my agent I removed the ssl >>> directory. Do another test run, it generates new certs on the agent >>> system and tries to communicate with the master. I then receive the >>> following error on the agent: >>> info: /User[puppet]: Provider useradd does not support features >>> manages_aix_lam; not managing attribute ia_load_module >>> info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ >>> puppet/ssl) >>> notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 >>> events >>> info: /File[/etc/puppet/ssl/private]: Scheduling refresh of >>> (completed_/etc/puppet/ssl/private) >>> notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' >>> from 1 events >>> info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ >>> etc/puppet/ssl/certs) >>> info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh >>> of (completed_/etc/puppet/ssl/certificate_requests) >>> notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: >>> Triggered ''refresh'' from 1 events >>> info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of >>> (completed_/etc/puppet/ssl/private_keys) >>> notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered >>> ''refresh'' from 1 events >>> info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of >>> (completed_/etc/puppet/ssl/public_keys) >>> notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered >>> ''refresh'' from 1 events >>> notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' >>> from 1 events >>> info: Creating a new SSL key for XXX >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for ca >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for XXX >>> err: Could not request certificate: Retrieved certificate does not >>> match private key; please remove certificate from server and >>> regenerate it with the current key >>> Exiting; failed to retrieve certificate and waitforcert is disabled >>> I guess I was expecting for this to work fine when >>> ''allow_duplicate_certs = true''. Maybe I misconfigured something? >>> Maybe I''m misunderstanding how allow_duplicate_certs behaves? >>> Thanks! >>> Jake-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jake - USPS
2011-Apr-14 17:52 UTC
[Puppet Users] Re: allow_duplicate_certs = true not working?
Test results posted, you may have posted shortly after I did. ;) We are using SLES 10. I''m not exactly sure what other information you want ... here is some of the relevant packages we have installed: usps-augeas-0.7.4-1.sles10 usps-ruby-gem-test-unit-2.1.2-1.sles10 usps-ruby-augeas-0.3.0-1.sles10 usps-puppet-dashboard-1.1.0.3-1.sles10 usps-ruby-1.8.7-1.sles10 usps-ruby-gem-rake-0.8.7-1.sles10 usps-ruby-gem-rack-1.2.1-1.sles10 usps-ruby-gem-passenger-3.0.2-1.sles10 usps-ruby-gem-sys-admin-1.5.4-1.sles10 usps-ruby-gem-mysql-2.8.1-1.sles10 usps-rubygems-1.4.1-1.sles10 usps-facter-1.5.8-1.sles10 usps-puppetmaster-2.7.0.1-1.sles10 We are running the puppetmaster through passenger, although my tests above are running it as your told me. If you want anything else, just let me know. Thanks for checking this out, Jake On Apr 14, 12:45 pm, Dominic Maraglia <domi...@puppetlabs.com> wrote:> Jake, > > We are investigating additional uses cases for "allow_duplicate_certs" > functionality; stay tuned for more information on this topic. > > In the meantime, we''d be very interested in your test results and a bit > of information about your platform would be much appreciated at well. > > Cheers, > Dominic > > On 4/14/11 10:33 AM, Jake - USPS wrote: > > > > > > > > > I can give that a try ... does that mean I wouldn''t be able to use > > passenger like I currently am to get this to work? > > > I''ll let you know of my results shortly. > > > Regards, > > Jake > > > On Apr 14, 11:35 am, Dominic Maraglia<domi...@puppetlabs.com> wrote: > >> Jake, > > >> Can you please try the following step and see if these allows you to use > >> duplicates certs? > > >> On your Puppet Master node: > > >> - Stop the Puppet Master daemon. > >> - Restart your Puppet Master as follows: > >> puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname > >> -s):$(hostname -f)" --verbose --noop" > > >> On a Puppet Agent node: > > >> - Generate a cert: > >> puppet certificate generate `hostname` --ca-location remote --server > >> Name_of_Puppet_Master > > >> - Generate a second cert : > >> puppet certificate generate `hostname` --ca-location remote --server > >> Name_of_Puppet_Master > > >> I would quite interested to know the outcome of these step. > > >> Cheers, > > >> Dominic Maraglia > > >> On 4/14/11 7:37 AM, Jake - USPS wrote: > > >>> I saw this feature became available in 2.7.0rc1 and wanted to try it > >>> out. I entered ''allow_duplicate_certs = true'' on both my master and > >>> agent systems in the puppet.conf (not sure if its need in both, saw it > >>> in genconf for puppetd and puppetmasterd though ...). I also have > >>> autosign.conf configured to allow autosigning for our domain > >>> (*.domain.com). I had my agent register with the master for the first > >>> time, works good (always has ;). Now on my agent I removed the ssl > >>> directory. Do another test run, it generates new certs on the agent > >>> system and tries to communicate with the master. I then receive the > >>> following error on the agent: > >>> info: /User[puppet]: Provider useradd does not support features > >>> manages_aix_lam; not managing attribute ia_load_module > >>> info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ > >>> puppet/ssl) > >>> notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 > >>> events > >>> info: /File[/etc/puppet/ssl/private]: Scheduling refresh of > >>> (completed_/etc/puppet/ssl/private) > >>> notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' > >>> from 1 events > >>> info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ > >>> etc/puppet/ssl/certs) > >>> info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh > >>> of (completed_/etc/puppet/ssl/certificate_requests) > >>> notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: > >>> Triggered ''refresh'' from 1 events > >>> info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of > >>> (completed_/etc/puppet/ssl/private_keys) > >>> notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered > >>> ''refresh'' from 1 events > >>> info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of > >>> (completed_/etc/puppet/ssl/public_keys) > >>> notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered > >>> ''refresh'' from 1 events > >>> notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' > >>> from 1 events > >>> info: Creating a new SSL key for XXX > >>> warning: peer certificate won''t be verified in this SSL session > >>> info: Caching certificate for ca > >>> warning: peer certificate won''t be verified in this SSL session > >>> info: Caching certificate for XXX > >>> err: Could not request certificate: Retrieved certificate does not > >>> match private key; please remove certificate from server and > >>> regenerate it with the current key > >>> Exiting; failed to retrieve certificate and waitforcert is disabled > >>> I guess I was expecting for this to work fine when > >>> ''allow_duplicate_certs = true''. Maybe I misconfigured something? > >>> Maybe I''m misunderstanding how allow_duplicate_certs behaves? > >>> Thanks! > >>> Jake-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matt Robinson
2011-Apr-14 17:58 UTC
Re: [Puppet Users] Re: allow_duplicate_certs = true not working?
Jake The behavior in 2.7 when running the master with --allow_duplicate_certs set is the same as in 2.6.x in that you can manually (using something like curl or the new ''puppet certificate'' face) generate multiple certs with same CN name, but the agent errors the same way regardless of the puppet version. I''ve updated ticket #3360 with more detail. That ticket is currently closed and should probably stay that way. I opened two new tickets, #7109 and #7110, to address the confusion with how the agent connects to the master when --allow_duplicate_certs is set. We should decide what the desired behavior is with an agent, and improve the error message that comes back. More detail in both those tickets. Thanks for testing out 2.7rc1. Matt On Thu, Apr 14, 2011 at 10:52 AM, Jake - USPS <jacob.m.mccann@usps.gov> wrote:> Test results posted, you may have posted shortly after I did. ;) > > We are using SLES 10. I''m not exactly sure what other information you > want ... here is some of the relevant packages we have installed: > > usps-augeas-0.7.4-1.sles10 > usps-ruby-gem-test-unit-2.1.2-1.sles10 > usps-ruby-augeas-0.3.0-1.sles10 > usps-puppet-dashboard-1.1.0.3-1.sles10 > usps-ruby-1.8.7-1.sles10 > usps-ruby-gem-rake-0.8.7-1.sles10 > usps-ruby-gem-rack-1.2.1-1.sles10 > usps-ruby-gem-passenger-3.0.2-1.sles10 > usps-ruby-gem-sys-admin-1.5.4-1.sles10 > usps-ruby-gem-mysql-2.8.1-1.sles10 > usps-rubygems-1.4.1-1.sles10 > usps-facter-1.5.8-1.sles10 > usps-puppetmaster-2.7.0.1-1.sles10 > > We are running the puppetmaster through passenger, although my tests > above are running it as your told me. If you want anything else, just > let me know. > > Thanks for checking this out, > Jake > > On Apr 14, 12:45 pm, Dominic Maraglia <domi...@puppetlabs.com> wrote: >> Jake, >> >> We are investigating additional uses cases for "allow_duplicate_certs" >> functionality; stay tuned for more information on this topic. >> >> In the meantime, we''d be very interested in your test results and a bit >> of information about your platform would be much appreciated at well. >> >> Cheers, >> Dominic >> >> On 4/14/11 10:33 AM, Jake - USPS wrote: >> >> >> >> >> >> >> >> > I can give that a try ... does that mean I wouldn''t be able to use >> > passenger like I currently am to get this to work? >> >> > I''ll let you know of my results shortly. >> >> > Regards, >> > Jake >> >> > On Apr 14, 11:35 am, Dominic Maraglia<domi...@puppetlabs.com> wrote: >> >> Jake, >> >> >> Can you please try the following step and see if these allows you to use >> >> duplicates certs? >> >> >> On your Puppet Master node: >> >> >> - Stop the Puppet Master daemon. >> >> - Restart your Puppet Master as follows: >> >> puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname >> >> -s):$(hostname -f)" --verbose --noop" >> >> >> On a Puppet Agent node: >> >> >> - Generate a cert: >> >> puppet certificate generate `hostname` --ca-location remote --server >> >> Name_of_Puppet_Master >> >> >> - Generate a second cert : >> >> puppet certificate generate `hostname` --ca-location remote --server >> >> Name_of_Puppet_Master >> >> >> I would quite interested to know the outcome of these step. >> >> >> Cheers, >> >> >> Dominic Maraglia >> >> >> On 4/14/11 7:37 AM, Jake - USPS wrote: >> >> >>> I saw this feature became available in 2.7.0rc1 and wanted to try it >> >>> out. I entered ''allow_duplicate_certs = true'' on both my master and >> >>> agent systems in the puppet.conf (not sure if its need in both, saw it >> >>> in genconf for puppetd and puppetmasterd though ...). I also have >> >>> autosign.conf configured to allow autosigning for our domain >> >>> (*.domain.com). I had my agent register with the master for the first >> >>> time, works good (always has ;). Now on my agent I removed the ssl >> >>> directory. Do another test run, it generates new certs on the agent >> >>> system and tries to communicate with the master. I then receive the >> >>> following error on the agent: >> >>> info: /User[puppet]: Provider useradd does not support features >> >>> manages_aix_lam; not managing attribute ia_load_module >> >>> info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ >> >>> puppet/ssl) >> >>> notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 >> >>> events >> >>> info: /File[/etc/puppet/ssl/private]: Scheduling refresh of >> >>> (completed_/etc/puppet/ssl/private) >> >>> notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' >> >>> from 1 events >> >>> info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ >> >>> etc/puppet/ssl/certs) >> >>> info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh >> >>> of (completed_/etc/puppet/ssl/certificate_requests) >> >>> notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: >> >>> Triggered ''refresh'' from 1 events >> >>> info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of >> >>> (completed_/etc/puppet/ssl/private_keys) >> >>> notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered >> >>> ''refresh'' from 1 events >> >>> info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of >> >>> (completed_/etc/puppet/ssl/public_keys) >> >>> notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered >> >>> ''refresh'' from 1 events >> >>> notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' >> >>> from 1 events >> >>> info: Creating a new SSL key for XXX >> >>> warning: peer certificate won''t be verified in this SSL session >> >>> info: Caching certificate for ca >> >>> warning: peer certificate won''t be verified in this SSL session >> >>> info: Caching certificate for XXX >> >>> err: Could not request certificate: Retrieved certificate does not >> >>> match private key; please remove certificate from server and >> >>> regenerate it with the current key >> >>> Exiting; failed to retrieve certificate and waitforcert is disabled >> >>> I guess I was expecting for this to work fine when >> >>> ''allow_duplicate_certs = true''. Maybe I misconfigured something? >> >>> Maybe I''m misunderstanding how allow_duplicate_certs behaves? >> >>> Thanks! >> >>> Jake > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jake - USPS
2011-Apr-14 18:57 UTC
[Puppet Users] Re: allow_duplicate_certs = true not working?
Thanks Matt. Just for clarification on why I''m trying to do this. We often rebuild systems in our environment. Things are ''decommissioned'', hostname ''released'' and new system built with previously used hostname for new purposes. This means currently (as I understand it) part of our decom process would need to include revoking a cert for a system. I''m trying to avoid this step as less work is always better, we have a lot of systems we manage so this isn''t something that would be done infrequently and I''m also afraid of admins as part of a decom process would by accident revoke a cert for the wrong system. So I was hoping with this that I would be able to decom a system, rebuild it and with the allow_duplicate_certs just automatically use a new cert for that hostname. By removing the ssl dir on an agent system I''m assuming this would be a valid test to simulate a decom/ rebuild/reregister puppet without all that hassle. Thanks for opening the additional bugs on this. One thing I''m wondering is if I''m missing something that maybe people already do to deal with my type of situation. Regards, Jake On Apr 14, 12:58 pm, Matt Robinson <m...@puppetlabs.com> wrote:> Jake > The behavior in 2.7 when running the master with > --allow_duplicate_certs set is the same as in 2.6.x in that you can > manually (using something like curl or the new ''puppet certificate'' > face) generate multiple certs with same CN name, but the agent errors > the same way regardless of the puppet version. I''ve updated ticket > #3360 with more detail. That ticket is currently closed and should > probably stay that way. > > I opened two new tickets, #7109 and #7110, to address the confusion > with how the agent connects to the master when --allow_duplicate_certs > is set. We should decide what the desired behavior is with an agent, > and improve the error message that comes back. More detail in both > those tickets. > > Thanks for testing out 2.7rc1. > Matt > > On Thu, Apr 14, 2011 at 10:52 AM, Jake - USPS <jacob.m.mcc...@usps.gov> wrote: > > > > > > > > > Test results posted, you may have posted shortly after I did. ;) > > > We are using SLES 10. I''m not exactly sure what other information you > > want ... here is some of the relevant packages we have installed: > > > usps-augeas-0.7.4-1.sles10 > > usps-ruby-gem-test-unit-2.1.2-1.sles10 > > usps-ruby-augeas-0.3.0-1.sles10 > > usps-puppet-dashboard-1.1.0.3-1.sles10 > > usps-ruby-1.8.7-1.sles10 > > usps-ruby-gem-rake-0.8.7-1.sles10 > > usps-ruby-gem-rack-1.2.1-1.sles10 > > usps-ruby-gem-passenger-3.0.2-1.sles10 > > usps-ruby-gem-sys-admin-1.5.4-1.sles10 > > usps-ruby-gem-mysql-2.8.1-1.sles10 > > usps-rubygems-1.4.1-1.sles10 > > usps-facter-1.5.8-1.sles10 > > usps-puppetmaster-2.7.0.1-1.sles10 > > > We are running the puppetmaster through passenger, although my tests > > above are running it as your told me. If you want anything else, just > > let me know. > > > Thanks for checking this out, > > Jake > > > On Apr 14, 12:45 pm, Dominic Maraglia <domi...@puppetlabs.com> wrote: > >> Jake, > > >> We are investigating additional uses cases for "allow_duplicate_certs" > >> functionality; stay tuned for more information on this topic. > > >> In the meantime, we''d be very interested in your test results and a bit > >> of information about your platform would be much appreciated at well. > > >> Cheers, > >> Dominic > > >> On 4/14/11 10:33 AM, Jake - USPS wrote: > > >> > I can give that a try ... does that mean I wouldn''t be able to use > >> > passenger like I currently am to get this to work? > > >> > I''ll let you know of my results shortly. > > >> > Regards, > >> > Jake > > >> > On Apr 14, 11:35 am, Dominic Maraglia<domi...@puppetlabs.com> wrote: > >> >> Jake, > > >> >> Can you please try the following step and see if these allows you to use > >> >> duplicates certs? > > >> >> On your Puppet Master node: > > >> >> - Stop the Puppet Master daemon. > >> >> - Restart your Puppet Master as follows: > >> >> puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname > >> >> -s):$(hostname -f)" --verbose --noop" > > >> >> On a Puppet Agent node: > > >> >> - Generate a cert: > >> >> puppet certificate generate `hostname` --ca-location remote --server > >> >> Name_of_Puppet_Master > > >> >> - Generate a second cert : > >> >> puppet certificate generate `hostname` --ca-location remote --server > >> >> Name_of_Puppet_Master > > >> >> I would quite interested to know the outcome of these step. > > >> >> Cheers, > > >> >> Dominic Maraglia > > >> >> On 4/14/11 7:37 AM, Jake - USPS wrote: > > >> >>> I saw this feature became available in 2.7.0rc1 and wanted to try it > >> >>> out. I entered ''allow_duplicate_certs = true'' on both my master and > >> >>> agent systems in the puppet.conf (not sure if its need in both, saw it > >> >>> in genconf for puppetd and puppetmasterd though ...). I also have > >> >>> autosign.conf configured to allow autosigning for our domain > >> >>> (*.domain.com). I had my agent register with the master for the first > >> >>> time, works good (always has ;). Now on my agent I removed the ssl > >> >>> directory. Do another test run, it generates new certs on the agent > >> >>> system and tries to communicate with the master. I then receive the > >> >>> following error on the agent: > >> >>> info: /User[puppet]: Provider useradd does not support features > >> >>> manages_aix_lam; not managing attribute ia_load_module > >> >>> info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/ > >> >>> puppet/ssl) > >> >>> notice: /Whit[completed_/etc/puppet/ssl]: Triggered ''refresh'' from 1 > >> >>> events > >> >>> info: /File[/etc/puppet/ssl/private]: Scheduling refresh of > >> >>> (completed_/etc/puppet/ssl/private) > >> >>> notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered ''refresh'' > >> >>> from 1 events > >> >>> info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/ > >> >>> etc/puppet/ssl/certs) > >> >>> info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh > >> >>> of (completed_/etc/puppet/ssl/certificate_requests) > >> >>> notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]: > >> >>> Triggered ''refresh'' from 1 events > >> >>> info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of > >> >>> (completed_/etc/puppet/ssl/private_keys) > >> >>> notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered > >> >>> ''refresh'' from 1 events > >> >>> info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of > >> >>> (completed_/etc/puppet/ssl/public_keys) > >> >>> notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered > >> >>> ''refresh'' from 1 events > >> >>> notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered ''refresh'' > >> >>> from 1 events > >> >>> info: Creating a new SSL key for XXX > >> >>> warning: peer certificate won''t be verified in this SSL session > >> >>> info: Caching certificate for ca > >> >>> warning: peer certificate won''t be verified in this SSL session > >> >>> info: Caching certificate for XXX > >> >>> err: Could not request certificate: Retrieved certificate does not > >> >>> match private key; please remove certificate from server and > >> >>> regenerate it with the current key > >> >>> Exiting; failed to retrieve certificate and waitforcert is disabled > >> >>> I guess I was expecting for this to work fine when > >> >>> ''allow_duplicate_certs = true''. Maybe I misconfigured something? > >> >>> Maybe I''m misunderstanding how allow_duplicate_certs behaves? > >> >>> Thanks! > >> >>> Jake > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick
2011-Apr-15 06:30 UTC
Re: [Puppet Users] Re: allow_duplicate_certs = true not working?
On Apr 14, 2011, at 11:57 AM, Jake - USPS wrote:> Thanks Matt. Just for clarification on why I''m trying to do this. We > often rebuild systems in our environment. Things are > ''decommissioned'', hostname ''released'' and new system built with > previously used hostname for new purposes. This means currently (as I > understand it) part of our decom process would need to include > revoking a cert for a system. I''m trying to avoid this step as less > work is always better, we have a lot of systems we manage so this > isn''t something that would be done infrequently and I''m also afraid of > admins as part of a decom process would by accident revoke a cert for > the wrong system. > > So I was hoping with this that I would be able to decom a system, > rebuild it and with the allow_duplicate_certs just automatically use > a new cert for that hostname. By removing the ssl dir on an agent > system I''m assuming this would be a valid test to simulate a decom/ > rebuild/reregister puppet without all that hassle. > > Thanks for opening the additional bugs on this. One thing I''m > wondering is if I''m missing something that maybe people already do to > deal with my type of situation.This is a problem for us too. To fix it, we don''t use the normal puppet key signing process. Instead, keys are created on the puppetmaster and sent to the clients when the clients finish installing. Workstation keys for computers that aren''t sensitive are sent automatically. The keys for sensitive computers (servers) are copied by hand my a system admin. The second happens so little, that it''s fine for us. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Russell Howe
2011-Apr-15 08:36 UTC
RE: [Puppet Users] Re: allow_duplicate_certs = true not working?
> -----Original Message----- > From: puppet-users@googlegroups.com > [mailto:puppet-users@googlegroups.com] On Behalf Of Jake - USPS > Sent: 14 April 2011 19:58 > To: Puppet Users > Subject: [Puppet Users] Re: allow_duplicate_certs = true not working? > > Thanks Matt. Just for clarification on why I''m trying to do > this. We often rebuild systems in our environment. Things > are ''decommissioned'', hostname ''released'' and new system > built with previously used hostname for new purposes.Apologies for sending an email from Outlook, but could you store up a stash of the certificate and private key from when a host is commissioned and then place it on the host next time it''s built? -- Russell Howe rhowe@moonfruit.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jake - USPS
2011-Apr-15 14:45 UTC
[Puppet Users] Re: allow_duplicate_certs = true not working?
Thank you Patrick and Russell for your inputs. Patrick, With your solution, do you generate the keys by hand then on the puppetmaster? Do you also manually send the generated cert to the client? I''m guessing its all actually automated, just trying to figure out how since I''m fairly new with puppet. What I''m doing currently is building a base OS with AutoYast (SLES), then in post install scripts of autoyast installing puppet and having it ''finish'' the install by running the agent. So I''m hoping to find a solution that could integrate with this current build process. Russell, I understand your idea. I''m thinking of giving this a try. Thanks, Jake On Apr 15, 3:36 am, Russell Howe <rh...@moonfruit.com> wrote:> > -----Original Message----- > > From: puppet-users@googlegroups.com > > [mailto:puppet-users@googlegroups.com] On Behalf Of Jake - USPS > > Sent: 14 April 2011 19:58 > > To: Puppet Users > > Subject: [Puppet Users] Re: allow_duplicate_certs = true not working? > > > Thanks Matt. Just for clarification on why I''m trying to do > > this. We often rebuild systems in our environment. Things > > are ''decommissioned'', hostname ''released'' and new system > > built with previously used hostname for new purposes. > > Apologies for sending an email from Outlook, but could you store up a stash of the certificate and private key from when a host is commissioned and then place it on the host next time it''s built? > > -- > Russell Howe > rh...@moonfruit.com-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.