search for: autosign

Hi folks Back again with another head-scratcher... I''m trying to get autosigning to work, and am partially succeeding, but not really... Running puppet v24.4, and not yet ready to upgrade unless I have to On puppetmaster, I have autosign.conf (and puppet.conf indicates autosign = /etc/puppet/autosign.conf, which should be redundant, but, covering that base as I can) In au...

Hello All. I read in an earlier post at http://markmail.org/search/?q=autosign+issues#query:autosign%20issues+page:1+mid:we6jrbn7hdjnhrie+state:results that as of puppet v24.4, autosigning did not support IP addresses. I am running v25.5. Is this still the case? Cheers, David -- You received this message because you are subscribed to the Google Groups "Puppet User...

I''m simply trying to run puppet inside a bash script but I''m not seeing any output. #!/bin/bash puppet master --mkusers --autosign --verbose --no-daemonize Is there an I/O redirection incantation I''m missing? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/H2aXJn59bRQJ...

I testing Puppet 0.19.3. If we decide to use it, we''d deploy it across several thousand hosts. The method described for creating client certificates described in the documentation - running "puppetd --server <server> --waitforcert 60 --test" and "puppetca --sign <client>" - is not practical for our installation. I''ve tried creating

Hello! The FAQ contains an entry about autosigning: http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients It says: > The certificate itself is stored, so two nodes could not connect with the same CN I tried this (using 0.25.4), and actually, that doesn''t seem to be cor...

Hey Folks, I''m looking at doing automated provisioning of new servers and am trying to integrate puppet into this process. What I''m wondering though is what the best process for securely registering a new node is. At the moment the first time puppet is run I have to then accept the certificate on the puppetmaster and then run puppet again. What I would like to do is accept the

Hi, I would like to use Puppet in the cloud (think gogrid) to configure stem images. Virtual machines are created/destroyed on the fly under control of a load monitor. For this reason we cannot sign manually new Puppet clients, instead, we must use Puppet''s autosign feature. At the moment, Puppet just permits to filter client manifest requests with some regex over the hostname of the client. This is not enough, to be sure that the puppet client is a trusted one, we need some further checks (we need to do some queries to the cloud API). How can we have some c...

Hi, Can puppet autosign work by giving vlan IP instead of domain? For example, in the autosign.conf file, instead of using *.mydomain.org, I want to give 172.18.133.* But it does not seem to work if I give the IP address. But I don''t want to limit the client from *.mydomain.org by only allow certain vlan client...

...not retrieve catalog: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol warning: Not using cache on failed catalog Nevertheless, a certificate for myhost.mydomain appears in $cadir/signed - despite there being no $confdir/autosign.conf file nor an ''autosign'' entry in $confdir/puppet.conf. The Mandriva packages also include a couple of additional config files, /etc/sysconfig/puppetd and /etc/sysconfig/puppetmasterd; but every non-blank line in both those files is commented out. I assume it is indeed possib...

...me.domain 2.6.16-xenU #1 SMP Mon May 28 03:41:49 SAST 2007 i686 i686 i386 GNU/Linux But I keep facing some timeout from puppetd: warning: peer certificate won''t be verified in this SSL session Exiting; failed to retrieve certificate and waitforcert is disabled Puppetmaster is running on autosign, and I can see in the puppetmaster logs that the puppets are actually able to connect and request a certificate: info: Could not find certificate for ''hostname.domain'' But, nothing else seems to happens on puppetmaster side and the puppetd finally timeout. Did anybody runned in...

Hello, We''ve been running puppet for 5 years until the last week when the certificate on the puppet server is expired. We were looking for a procedure describing how to create a new server certificate without a need to reconfigure certificates on puppet clients (about 100 servers) but we couldn''t find anything regarding this issue within puppet''s documentation. Is

...# Allow services in the ''puppet'' group to access key (Foreman + proxy) privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 } # Puppet 3.0.x requires this in both [main] and [master] - harmless on agents autosign = $confdir/autosign.conf { mode = 664 } [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is ...

I saw this feature became available in 2.7.0rc1 and wanted to try it out. I entered ''allow_duplicate_certs = true'' on both my master and agent systems in the puppet.conf (not sure if its need in both, saw it in genconf for puppetd and puppetmasterd though ...). I also have autosign.conf configured to allow autosigning for our domain (*.domain.com). I had my agent register with the master for the first time, works good (always has ;). Now on my agent I removed the ssl directory. Do another test run, it generates new certs on the agent system and tries to communicate with th...

I am looking into alternatives for the initial cert sign for new puppet clients. We will have non-sysadmins kickstarting new hosts, and I am trying to minimize the time they have to wait for a cert sign while maintaining at least a marginally sane level of security. My question is this: does the puppetmaster check that a new cert request for host A (csr with subject "cn=A.mydomain") is

Hi! I''ve installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm supplied by yum.puppetlabs.com. I''ve setup a apache2 vhost with mod_ssl and passenger. The server is configured to autosign the cert requests. The agent installed on the puppetmaster''s server works fine. I''ve a second agent on a server which can sync with the server too. This server is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual machines are configured to join a n...

...= <%= confdir %> 5 vardir = <%= vardir %> 6 7 rundir = /var/run 8 logdir = /var/log 9 10 ssldir = $vardir/ssl 11 12 [puppetmasterd] 13 manifestdir = $vardir/manifests 14 modulepath = $vardir/modules 15 16 [ca] 17 autosign = false 18 19 [puppetd] 20 listen = true 21 report = true 22 splay = false 23 24 [reporting] 25 reports = tagmail 26 27 [tagmail] 28 reportfrom = foo@host I can only get it to work as expected with: 1 $Id$ 2 3 [main] 4 confdir = <...

Hi, I'm trying to create an autosign policy which checks for a custom attribute in the CSR but I'm having some issue with the master not signing the request. My client has the following in /etc/puppet/csr_attributes.yaml custom_attributes: 1.2.840.113549.1.9.7: foo My policy is a simple bash script, in this case checking f...

...added automatically. # The default value is ''$confdir/localconfig''. localconfig = $vardir/localconfig reports = rrdgraph,store,log reportdir = $vardir/report rrddir = $vardir/rrd rrdinterval = $runinterval rrdgraph = true [puppetmaster] autosign = /etc/puppet/autosign.conf modulepath = /etc/puppet/manifests/modules [puppetmasterd] modulepath = /etc/puppet/manifests/modules Could someone help me to find is my problem? Cheers, Arnau --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscrib...

...IP addr before approving or denying the request. Is this even possible, and if so, how do I accomplish it? Even pointers to the code that gets executed would help, but I''d really like to avoid mucking with the ca code itself and just add something in the chain. Filtering on domain in autosign.conf is not sufficient. thanks, Lou -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TRHdTAzsYtQJ. To post to this group, send email to puppet-user...

...the following problem. I have a client/node registered to the puppet master and it is working without any issues. On the server I can see it compile the catalog in the logs. However when I run ''puppet cert --list --all'' it is not in the list. Note we use auto signing (/etc/puppet/autosign.conf). # Client Working [root@sitvhmnp161105 ~]# puppet agent --test info: Retrieving plugin info: Loading facts in systeminfo info: Loading facts in systeminfo info: Caching catalog for sitvhmnp161105.mambodev.local info: Applying configuration version ''1311904488'' notice: Finis...