Hi Bob,
Doing the same for LDAP+TLS, it gives me the advantage of not creating
another set of cert/key per machine, besides they are distributed with
puppet, at the beginning I was tempted to use only symlnks to them but later
I decided to make a copy of them and I've started to use like that without
issues so far.
Thanks.
On Fri, Aug 6, 2010 at 9:47 AM, Bob Belnap <bbel...@gmail.com> wrote:
> Hello,
>
> As I've been building up my puppet infrastructure, I've started using
> puppet certs for all of my services that require ssl. Usually this is
> in the form of links:
>
>
> file {
> "/opt/syslog-ng/etc/ca.d/b2457b50.0":
> require => Package["syslog-ng"],
> ensure => link,
> target => "/var/lib/puppet/ssl/certs/ca.pem";
> }
>
> Or copying file contents:
>
>
> file { ["/var/lib/pgsql/data/server.crt",
> "/home/postgres/.postgresql/postgresql.crt",
> "/root/.postgresql/postgresql.crt",
> ]:
> source => "/var/lib/puppet/ssl/certs/$fqdn.pem",
> owner => postgres,
> group => postgres,
> mode => 600,
> }
>
> file { ["/var/lib/pgsql/data/server.key",
> "/home/postgres/.postgresql/postgresql.key",
> "/root/.postgresql/postgresql.key",
> ]:
> source => "/var/lib/puppet/ssl/private_keys/$fqdn.pem",
> owner => postgres,
> group => postgres,
> mode => 600,
> }
>
> file { "/var/lib/pgsql/data/root.crt":
> source => "/var/lib/puppet/ssl/certs/ca.pem",
> owner => postgres,
> group => postgres,
> mode => 600,
> }
>
> Now pretty much any time I have a service that uses ssl, I just use
> puppet certs/keys.
>
> The advantages I see:
> * It saves me from having to maintain my own separate CA system.
> * I don't have to store sensitive certs/keys in manifests
>
> Is anyone else doing this? Is it a good idea? What are the potential
> pitfalls?
>
> --Bob
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
Tony
http://blog.tonyskapunk.net
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
