Max Martin
2011-Apr-20 21:58 UTC
Re: [PATCH/puppet 1/1] (#5528) Add REST API for signing, revoking, retrieving, cleaning certs
Hi Arm, It sounds like the problem here is that your puppet agents are running as daemons, and kicking them isn''t causing them to check for a signed cert. I would suggest that you run your agents using --no-daemonize, and set up a cron schedule for them to check in with the master, which will cause them to check for any signed certs. I''m CCing this to the public dev and user lists in case anyone else has any better ideas, and don''t hesitate to reply again if you run into any more issues. Thanks for the feedback! On Wed, Apr 20, 2011 at 2:05 PM, Arm Adam <arm.adam.groups@gmail.com> wrote:> This REST api is very interesting to us. However, one issue we have > is that we don''t know when an agent has actually picked up the > certificates. For example, we bring a new puppet agent online and it > connects to the master to generate a certificate request. We sign the > request and get an immediate response from the puppet master > certificate command, but when we subsequently attempt to perform a > kick, it fails due to a connection refused. This will happen until > the agent actually picks up the signed certificate. > > So, > > 1) How can we determine if a certificate is signed AND has been picked > up by the agent? > 2) How can we force the agent to connect and pick up the signed > certificates without having access to the agent system. > > Notes: > We don''t want to have to connect to an agent. Only the master. > We don''t have agent hostname prior to it coming online. According to > what we''ve seen online pre-generating and distributing keys is not an > option given that constraint. > > Thank you for your help! >-- Max Martin (404) 585-1840 Puppet Labs http://www.puppetlabs.com -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.