TJ Yang
2011-Jun-17 12:49 UTC
[Puppet Users] Questions for puppet 2.6.8 client certificate management
How do I initiate a certificate request without going into non-daemon mode ? According to "Pro Puppet" book, so far the only way I know that can trigger a certficate request with puppet master is like this puppet agent --server=puppetmaster.test.com --no-daemonize --verbose but doing so will break my intention of automation I need to create a puppet client package. A control-C is needed to terminate the process. I have puppetmaster configured to be auto grant and sign certificate requests. and I like puppet client can auto issue a request which will be granted and start itself up when running "/etc/init.d/puppetagent268 start" Is there a command "puppet cert --clean puppetagent1.test.com" for puppet agent ? For now I have to go into $ssldir subdirectory to manually cleanup existing certificate. -- T.J. Yang -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Goethals
2011-Jun-17 12:52 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
puppet agent --test (-t) Zipkid On 17 Jun 2011, at 14:49, TJ Yang wrote:> How do I initiate a certificate request without going into non-daemon mode ? > > According to "Pro Puppet" book, so far the only way I know that can > trigger a certficate request with puppet master is like this > > puppet agent --server=puppetmaster.test.com --no-daemonize --verbose > > but doing so will break my intention of automation I need to create a > puppet client package. A control-C is needed to terminate the process. > I have puppetmaster configured to be auto grant and sign certificate > requests. and I like puppet client can auto issue a request which will > be granted and start itself up when running > "/etc/init.d/puppetagent268 start" > > > Is there a command "puppet cert --clean puppetagent1.test.com" for > puppet agent ? > For now I have to go into $ssldir subdirectory to manually cleanup > existing certificate. > > -- > T.J. Yang > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nathan Clemons
2011-Jun-17 13:46 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
I could be wrong, as I''m still on 0.25 myself, but I think you want the --waitforcert <seconds> option. -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Fri, Jun 17, 2011 at 5:49 AM, TJ Yang <tjyang2001@gmail.com> wrote:> How do I initiate a certificate request without going into non-daemon mode > ? > > According to "Pro Puppet" book, so far the only way I know that can > trigger a certficate request with puppet master is like this > > puppet agent --server=puppetmaster.test.com --no-daemonize --verbose > > but doing so will break my intention of automation I need to create a > puppet client package. A control-C is needed to terminate the process. > I have puppetmaster configured to be auto grant and sign certificate > requests. and I like puppet client can auto issue a request which will > be granted and start itself up when running > "/etc/init.d/puppetagent268 start" > > > Is there a command "puppet cert --clean puppetagent1.test.com" for > puppet agent ? > For now I have to go into $ssldir subdirectory to manually cleanup > existing certificate. > > -- > T.J. Yang > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Martin Alfke
2011-Jun-17 13:47 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
Hi, On Jun 17, 2011, at 2:49 PM, TJ Yang wrote:> How do I initiate a certificate request without going into non-daemon mode ? > > According to "Pro Puppet" book, so far the only way I know that can > trigger a certficate request with puppet master is like this > > puppet agent --server=puppetmaster.test.com --no-daemonize --verbosewe do that by using a tag which does not exist: puppet agent --test --tags=foo This creates the client certificate and sends it to the master. The master autosigns the certificate request and compiles the catalog. The client will parse for a tag with the name "foo" and will not do anything.> > but doing so will break my intention of automation I need to create a > puppet client package. A control-C is needed to terminate the process. > I have puppetmaster configured to be auto grant and sign certificate > requests. and I like puppet client can auto issue a request which will > be granted and start itself up when running > "/etc/init.d/puppetagent268 start"We have created our own puppet rpm package with an individual puppet.conf. Upon post installation we run the command give above.> > > Is there a command "puppet cert --clean puppetagent1.test.com" for > puppet agent ? > For now I have to go into $ssldir subdirectory to manually cleanup > existing certificate.Do you refer to the master or the client? The puppet cert command is used for the master only. On the client we also recursivley delete the puppet ssl dir. Kind regards, Martin> > -- > T.J. Yang > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
TJ Yang
2011-Jun-17 14:15 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
Martin Thanks for the quick reply On Fri, Jun 17, 2011 at 8:47 AM, Martin Alfke <tuxmea@gmail.com> wrote:> Hi, > On Jun 17, 2011, at 2:49 PM, TJ Yang wrote: > >> How do I initiate a certificate request without going into non-daemon mode ? >> >> According to "Pro Puppet" book, so far the only way I know that can >> trigger a certficate request with puppet master is like this >> >> puppet agent --server=puppetmaster.test.com --no-daemonize --verbose > > we do that by using a tag which does not exist: > > puppet agent --test --tags=foo > > This creates the client certificate and sends it to the master. > The master autosigns the certificate request and compiles the catalog. > The client will parse for a tag with the name "foo" and will not do anything. >Thanks for the great tip, I will use this in my postinstall script. I hope tip/hack can be turned into "puppet agent --cert_request" for future version of puppt.>> >> but doing so will break my intention of automation I need to create a >> puppet client package. A control-C is needed to terminate the process. >> I have puppetmaster configured to be auto grant and sign certificate >> requests. and I like puppet client can auto issue a request which will >> be granted and start itself up when running >> "/etc/init.d/puppetagent268 start" > > We have created our own puppet rpm package with an individual puppet.conf. > Upon post installation we run the command give above. > >> >> >> Is there a command "puppet cert --clean puppetagent1.test.com" for >> puppet agent ? >> For now I have to go into $ssldir subdirectory to manually cleanup >> existing certificate. > > Do you refer to the master or the client? > The puppet cert command is used for the master only. > On the client we also recursivley delete the puppet ssl dir.I am referring to puppet agent/client. I hope future version can support this certificate reset/cleanup on puppet agent. for now, I will just do "rm -rf $ssldir " in "/etc/init.d/puppetclient268 certclean" tj> Kind regards, > > Martin > >> >> -- >> T.J. Yang >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- T.J. Yang -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
TJ Yang
2011-Jun-17 14:30 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
I need to add --server like following, otherwise it will won''t finish the run. (I don''t have/want puppet entry in my /etc/hosts) puppet agent --server=puppetmaster.test.com --test --tags option is not need in my case. tj On Fri, Jun 17, 2011 at 7:52 AM, Stefan Goethals <zipkid.com@gmail.com> wrote:> > puppet agent --test (-t) > > Zipkid > > On 17 Jun 2011, at 14:49, TJ Yang wrote: > >> How do I initiate a certificate request without going into non-daemon mode ? >> >> According to "Pro Puppet" book, so far the only way I know that can >> trigger a certficate request with puppet master is like this >> >> puppet agent --server=puppetmaster.test.com --no-daemonize --verbose >> >> but doing so will break my intention of automation I need to create a >> puppet client package. A control-C is needed to terminate the process. >> I have puppetmaster configured to be auto grant and sign certificate >> requests. and I like puppet client can auto issue a request which will >> be granted and start itself up when running >> "/etc/init.d/puppetagent268 start" >> >> >> Is there a command "puppet cert --clean puppetagent1.test.com" for >> puppet agent ? >> For now I have to go into $ssldir subdirectory to manually cleanup >> existing certificate. >> >> -- >> T.J. Yang >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- T.J. Yang -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Jun-17 14:55 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
On Fri, Jun 17, 2011 at 7:15 AM, TJ Yang <tjyang2001@gmail.com> wrote:> > I am referring to puppet agent/client. > I hope future version can support this certificate reset/cleanup on > puppet agent.If you really do want agents to be able to clean certificates on the master, you can open up the API Access Control in auth.conf and use curl to script these sorts of API calls. http://docs.puppetlabs.com/guides/rest_api.html#certificate-request -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
TJ Yang
2011-Jun-17 15:05 UTC
Re: [Puppet Users] Questions for puppet 2.6.8 client certificate management
On Fri, Jun 17, 2011 at 9:55 AM, Nigel Kersten <nigel@puppetlabs.com> wrote:> > > On Fri, Jun 17, 2011 at 7:15 AM, TJ Yang <tjyang2001@gmail.com> wrote: >> >> I am referring to puppet agent/client. >> I hope future version can support this certificate reset/cleanup on >> puppet agent. >> If you really do want agents to be able to clean certificates on the master,I was looking for a formal way to remove a puppet agent''s certficate,pubilc/private key without running "rm -rf $ssldir".> you can open up the API Access Control in auth.conf and use curl to script > these sorts of API calls.This information is even better for higher degree of automation, so far I need to do "puppet cert --clean puppetagent1.test.com" on puppet master in a VT100 session. Thanks for the pointer.> http://docs.puppetlabs.com/guides/rest_api.html#certificate-request > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- T.J. Yang -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.