Hello,
As I've been building up my puppet infrastructure, I've started using
puppet certs for all of my services that require ssl. Usually this is
in the form of links:
file {
"/opt/syslog-ng/etc/ca.d/b2457b50.0":
require => Package["syslog-ng"],
ensure => link,
target => "/var/lib/puppet/ssl/certs/ca.pem";
}
Or copying file contents:
file { ["/var/lib/pgsql/data/server.crt",
"/home/postgres/.postgresql/postgresql.crt",
"/root/.postgresql/postgresql.crt",
]:
source => "/var/lib/puppet/ssl/certs/$fqdn.pem",
owner => postgres,
group => postgres,
mode => 600,
}
file { ["/var/lib/pgsql/data/server.key",
"/home/postgres/.postgresql/postgresql.key",
"/root/.postgresql/postgresql.key",
]:
source => "/var/lib/puppet/ssl/private_keys/$fqdn.pem",
owner => postgres,
group => postgres,
mode => 600,
}
file { "/var/lib/pgsql/data/root.crt":
source => "/var/lib/puppet/ssl/certs/ca.pem",
owner => postgres,
group => postgres,
mode => 600,
}
Now pretty much any time I have a service that uses ssl, I just use
puppet certs/keys.
The advantages I see:
* It saves me from having to maintain my own separate CA system.
* I don't have to store sensitive certs/keys in manifests
Is anyone else doing this? Is it a good idea? What are the potential
pitfalls?
--Bob
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
