Puppet users - Oct 2011 - Regenerating puppet master certificate

Hi all,

Is there a more elegant way to regenerate the Puppet master certificate than
what''s described in the CVE-2011-3872 toolkit?
> If you can maintain a secondary shell session to the puppet master server,
you can start a WEBrick master with puppet master --no-daemonize --verbose and
stop it with ctrl-C.
> If you prefer to only maintain one shell session, you can start a WEBrick
master with puppet master and stop it with kill $(cat $(puppet master
--configprint pidfile)).
Source: README.pdf inside the toolkit.

I used to be able to do this by running ''puppetca''. But ever
since puppetca isn''t available anymore I can''t seem to find
any information on how to do it instead.
Well other than what''s described above that is. But that''s not
feasible in an automated fashion. I''d like to deploy a second puppet
master.

Regards,
Tom De Vylder

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Tom,

On Tue, 2011-10-25 at 11:20 +0200, Tom De Vylder wrote:
> Hi all,
> 
> Is there a more elegant way to regenerate the Puppet master
> certificate than what''s described in the CVE-2011-3872 toolkit?
You''re talking about generating a master cert or a master CA cert?
> > If you can maintain a secondary shell session to the puppet master
> server, you can start a WEBrick master with puppet master
> --no-daemonize --verbose and stop it with ctrl-C.
> > If you prefer to only maintain one shell session, you can start a
> WEBrick master with puppet master and stop it with kill $(cat $(puppet
> master --configprint pidfile)).
> Source: README.pdf inside the toolkit.
> 
> I used to be able to do this by running ''puppetca''. But
ever since
> puppetca isn''t available anymore I can''t seem to find any
information
> on how to do it instead.
Puppetca is now called "puppet cert". 
> Well other than what''s described above that is. But
that''s not
> feasible in an automated fashion. I''d like to deploy a second
puppet
> master.
-- 
Brice Figureau
Follow the latest Puppet Community evolutions on www.planetpuppet.org!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 25 Oct 2011, at 11:46, Brice Figureau wrote:
> Hi Tom,
> 
> On Tue, 2011-10-25 at 11:20 +0200, Tom De Vylder wrote:
>> Hi all,
>> 
>> Is there a more elegant way to regenerate the Puppet master
>> certificate than what''s described in the CVE-2011-3872
toolkit?
> 
> You''re talking about generating a master cert or a master CA cert?
Both actually.
>>> If you can maintain a secondary shell session to the puppet master
>> server, you can start a WEBrick master with puppet master
>> --no-daemonize --verbose and stop it with ctrl-C.
>>> If you prefer to only maintain one shell session, you can start a
>> WEBrick master with puppet master and stop it with kill $(cat $(puppet
>> master --configprint pidfile)).
>> Source: README.pdf inside the toolkit.
>> 
>> I used to be able to do this by running ''puppetca''.
But ever since
>> puppetca isn''t available anymore I can''t seem to find
any information
>> on how to do it instead.
> 
> Puppetca is now called "puppet cert". 
Correct me if I''m wrong but it can only generate client certs.
>> Well other than what''s described above that is. But
that''s not
>> feasible in an automated fashion. I''d like to deploy a second
puppet
>> master.
> 
> -- 
> Brice Figureau
> Follow the latest Puppet Community evolutions on www.planetpuppet.org!
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Oct 25, 2011 at 3:00 AM, Tom De Vylder <tom@penumbra.be> wrote:
>
> > Puppetca is now called "puppet cert".
>
> Correct me if I''m wrong but it can only generate client certs.
>
>
If you don''t have an SSL dir, puppet cert --generate will generate the
new
CA for you first.

Does that help?


-- 
Nigel Kersten
Product Manager, Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> On Tue, Oct 25, 2011 at 3:00 AM, Tom De Vylder <tom@penumbra.be>
wrote:
> 
> > Puppetca is now called "puppet cert".
> 
> Correct me if I''m wrong but it can only generate client certs.
> 
> 
> If you don''t have an SSL dir, puppet cert --generate will generate
the new CA for you first.
> 
> Does that help?
> 
>  
> -- 
> Nigel Kersten
> Product Manager, Puppet Labs

Wish I could''ve found that in the docs.
This will certainly get me going again. 

Thx!

Tom

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Wish I could''ve found that in the docs.
> This will certainly get me going again.
Sounds like a ticket for puppet documentation...

~pete

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, 2011-10-26 at 10:02 +0200, Peter Meier wrote:
> > Wish I could''ve found that in the docs.
> > This will certainly get me going again.
> 
> Sounds like a ticket for puppet documentation...
What would be awesome is this hidden feature to become a first class
feature in puppet cert (like --generateca).
-- 
Brice Figureau
Follow the latest Puppet Community evolutions on www.planetpuppet.org!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.