Derek J. Balling
2012-Feb-27 10:58 UTC
[Puppet Users] Certificate Annoyance: Time Differential
We recently had a situation where servers weren''t able to use their auto-sign''ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn''t yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it''d be a useful feature. D -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<ygor@comcast.net>
2012-Feb-27 11:40 UTC
Re: [Puppet Users] Certificate Annoyance: Time Differential
A suggestion based on how I deal with this : I use Cobbler to load the operating system and do basic configurations. Then I hand off to Puppet. One thing I do with Cobbler is the initial setting of the system clock using ntpdate or ntpd -q Hope this helps -----Original Message----- From: Derek J. Balling To: puppet-users Sent: 2012-02-27 10:59:12 +0000 Subject: [Puppet Users] Certificate Annoyance: Time Differential We recently had a situation where servers weren''t able to use their auto-sign''ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn''t yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it''d be a useful feature. D -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Derek J. Balling
2012-Feb-27 16:53 UTC
Re: [Puppet Users] Certificate Annoyance: Time Differential
Well, we do it with kickstart and -- typically -- do the same thing. But for some reason it wasn''t able to reach the NTP server during kickstart and it was never able to sync the clock before things really got rolling. And it just occurred to me that since, ostensibly, puppet could be in charge of making sure the NTP services were installed in the first place, that it would make a lot of sense to have this as a feature/option in puppet, to ignore the time-deltas for SSL certs. D On Feb 27, 2012, at 6:40 AM, <ygor@comcast.net> <ygor@comcast.net> wrote:> A suggestion based on how I deal with this : > I use Cobbler to load the operating system and do basic configurations. Then I hand off to Puppet. One thing I do with Cobbler is the initial setting of the system clock using ntpdate or ntpd -q > Hope this helps > > -----Original Message----- > From: Derek J. Balling > To: puppet-users > Sent: 2012-02-27 10:59:12 +0000 > Subject: [Puppet Users] Certificate Annoyance: Time Differential > > We recently had a situation where servers weren''t able to use their auto-sign''ed certificates because their local clock was months off from real-time. Of course, it was brand-new hardware straight off the dock and hadn''t yet had a chance to have ntp sync the clock to the correct time because, well, puppet is what fires up NTP. :-) > > Is there any way to recognize that puppet might be the thing in charge of bringing the clocks into sync, and allowing puppet to ignore certificate-verification failures that are based solely on the time-delta being too high? It certainly seems like it''d be a useful feature. > > D > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jon Davis
2012-Feb-27 17:04 UTC
Re: [Puppet Users] Certificate Annoyance: Time Differential
My solution was to run ntpdate before I ran the puppet join. Since all my client machines are ubuntu, I know it''s pre-installed. After that, puppet installs the ntp service. My "join" command looks something like: `apt-get install puppet -y && ntpdate pool.ntp.org && puppet agent --server puppet.company.com` -Jon On Mon, Feb 27, 2012 at 02:58, Derek J. Balling <dredd@megacity.org> wrote:> We recently had a situation where servers weren''t able to use their > auto-sign''ed certificates because their local clock was months off from > real-time. Of course, it was brand-new hardware straight off the dock and > hadn''t yet had a chance to have ntp sync the clock to the correct time > because, well, puppet is what fires up NTP. :-) > > Is there any way to recognize that puppet might be the thing in charge of > bringing the clocks into sync, and allowing puppet to ignore > certificate-verification failures that are based solely on the time-delta > being too high? It certainly seems like it''d be a useful feature. > > D > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.