similar to: Important Security Announcement: AltNames Vulnerability [new version of puppet]

Fedora Core 7 has just updated their Ruby package (was 1.8.6.36-3.fc7, is now 1.8.6.110-3.fc7), and the upgrade broke my Puppet installation, and there was a similar report from someone else. Communications between the puppetmasterd and the puppetd running on the same host broke down with the message: Could not retrieve configuration: Certificates were not trusted: hostname not match with

Puppet 2.6.12 is a security update release in the 2.6.x branch. The only changes since 2.6.11 are security fixes for the following vulnerability: * CVE-2011-3872, Altnames Vulnerability For more details on this vulnerability, follow the link on our blog post: http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/ Other information available at:

Puppet 2.7.8rc1 is available. 2.7.8rc1 contains everything that was being previewed in the 2.7.7rc series as well as some new content. Key highlight in this release (beyond items from 2.7.7rc series) are: * Allow providers to be selected in the run they become suitable * Showdiff is now not auto-enabled when running in noop mode * Provide default subjectAltNames while bootstrapping

Hello, Attempting to setup a CA primary/standby as well as seperate puppetmaster servers (all running Apache/Passenger) behind another Apache/Passenger type load balancer. Clients are not getting certs:- err: Could not request certificate: Could not intern from s: nested asn1 error Clearly an SSL issue but not something I know a great deal about. loadbalancer.conf # Puppet Load Balancing

I''m trying to setup a puppetmaster, and I''ve got a couple of questions. The first, is a design question. Since I expect to eventually have multiple puppetmaster servers, I''d like to name this one to be named puppet1.example.com. But I''d like my clients to connect via a cname as puppet.example.com. Is this pretty standard? Is there some more common way?

How do folks feel about getting Puppet job listings on this list? I''ve rejected a few that we quite spammy, but when the subject matter really is a system admin with puppet experience, the decision becomes a bit different. I''m looking for general feelings. A simple +1 or -1 would be great. Mike -- You received this message because you are subscribed to the Google Groups

I''m getting these errors when running ''puppet agent --test'' after doing a new installation of an agent: err: /Stage[main]/Pe_mcollective::Plugins/File[/opt/puppet/libexec/mcollective/mcollective/security/sshkey.rb]/content: change from {md5}512f42272699eaa085c83d2cc67c27ea to {md5}8fa3e9125fd917948445e3d2621d40e5 failed: Could not back up

Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer to balance over some 10 puppetmaster processes. The configured SSLCertificateFile in Apache is that of puppet-new.domain How do I get a node to stop complaining when connecting to puppet-old.domain (ending up at puppet-new.domain through the CNAME)?

Welcome to the first Puppet Dashboard maintenance release of the new year. This release includes a security update to address CVE-2012-0891, a XSS vulnerability discovered by David Dasz <david@dasz.at>. We have classified the risk from this exposure as moderate. All Puppet Dashboard users are encouraged to upgrade when possible. Puppet Enterprise users should visit

Hello, I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with

had to fix the subject... was getting under my skin! yeah, could you put up the FLAC version of the worst track that is less than 20 megs compressed? (I'll have to grab it with a 56k modem). by worst I mean the one where shorten beats flac by the most. also: 1. what version of shorten are you using? 2. what command-line options for flac and shorten did you use on this track? thanks, Josh

Hello everyone,=I have a question as to how to remove the column headers in a data file and then replace those with titles from another file in this case the file labeled ann  ( in which the titles are all in one column).I am unsure which function to use.I tried rm () to remove the column headers but they are numbers and  the error message said to only use rm for charactors not numbers Below is

Folks, Please confirm or correct the following assertions: In Target.td one of the data member fields for class Register is list<string> AltNames. If this is for alternate names for a given register (in Mips $28 and $gp are the same) it would be quite useful for the llvm-mc assembler which has to handle cases where there are multiple names for the same register. A quick recursive grep

Since our move to github for pull requests and patches, the usefulness of puppet-dev has declined significantly. puppet-dev used to be a great list for development discussion of puppet and the ecosystem around it. With the information and pull request emails from github, unless everybody has finely-tuned their email clients, the puppet-dev list has turned into mostly noise. We have a goal to

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

I tried to set cn=myMachine instead of cn=192.168.1.x and...everything frezees! virsh -c qemu://.../system tries to connect forever. You really need static ip addresses in the cn field?? I think this is an HUGE bug: you are saying to me that each time I change network or ip (because, dear sirs, dhcp exists) I have to generate a whole new couple of certificates?? I hope it is not the case....

Hi I am reading and configuring puppet in relation to http://reductivelabs.com/trac/puppet/wiki/UsingMongrelOnEnterpriseLinux The question I have is in relation to the ssl certificates generated the first time the puppetmaster service is run and the ability to use a CNAME. If the host that i am running the puppetmaster on is server.example.com and i want to use puppet.example.com as a CNAME that

What is the deal with "CSR's"? TWTelecom is telling me that I can't port a number to their service without a Customer Service Record. Apparently this is easy with Verizon, and not so easy with some other companies. Basically I'm at a brick wall with a couple of ports because TWTelecom is telling me I HAVE to get a CSR and certain other providers (Time Warner Cable for

I''m running a two headed puppetmaster and have disabled crl''s. Let''s call them the primary and the secondary. The primary and secondary both use the primary as their master. The secondary only is used when the primary isn''t responding (I wrap the puppetd call in cron with a short shell script) I''m managing these ca files on the masters, pushing

Hello Gang, I''m working on scaling my puppet solution, and I''m deploying multiple masters w/ passenger that are going sit behind a load balancer. If anyone is using these type of setup, would you share how you deal with the SSL certs? I''ve been following Bode''s Blog (http://bodepd.com/wordpress/?p=7), and it''s not working to good for me.