Hello! The FAQ contains an entry about autosigning:
http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients It says: > The certificate itself is stored, so two nodes could not connect with the same CN I tried this (using 0.25.4), and actually, that doesn't seem to be correct. I was able to run puppetd on two different nodes, each with the option "--fqdn alice.mydomain.com", with autosigning enabled for "*.mydomain.com" on the server. Both nodes requested to get their individual certificates signed, and both were signed without complains. The CA doesn't care about already signed certificates with the same CN. And yes, after this, both nodes were treated as if they were "alice.mydomain.com". More from the FAQ: > The problem lies in the fact that the puppetmaster does not make a 1-1 mapping between a > node and the first certificate it saw for it, and hence multiple certificates can map to > the same node, for example:" Yep, that seems to be true. But the following example is unnecessary complicated. It says: > * alice.mydomain.com connects, gets node alice { } definition. > * bob.mydomain.com connects with CN alice.bob.mydomain.com, > and also matches node alice { } definition. " This led my to believe that specifying the nodes in my manifests using fully qualified names could help, but it does not, since "bob.mydomain.com" can simple pretend to be "alice.mydomain.com" as well. Are there any plans to improve security for autosigning, i.e. to prevent re-signing a certificate for a CN (or node) that already has a signed certificate? Best Regards, Claus -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
