On Mon, Oct 4, 2010 at 8:58 AM, Mohamed Lrhazi <lrh...@gmail.com> wrote:
> On Mon, Oct 4, 2010 at 10:57 AM, Felix Frank
> <felix.fr...@alumni.tu-berlin.de> wrote:
>
>> Your clients cache the master's certificate.
Correction. The puppet agent fetches the CA cert and it verifies the
puppet master cert is signed by the CA cert. If not, the agent will
not communicate with puppet master due to a cert mismatch.
If you are paranoid and concerned about security, do not use autosign
on Puppet master, and distribute the ca.pem public key to the puppet
agent manually as part of provisioning process. This will alleviate
the problem of a rogue host connecting to puppet master, and prevent
man in the middle attack.
> I think thats the piece I was missing in my understanding... Thanks a lot.
>
> So if the master's cert changes, does the client refuse the new master?
No, the puppet agent checks:
1. Is the certificate signed by the trusted CA and valid?
2. Does the server DNS match the CN or subject alt name?
So if you examine the certificate, here are the fields that are important:
# openssl x509 -text --noout -in
/var/lib/puppet/ssl/certs/puppet.internal.clientsite.com.pem
Certificate:
Issuer: CN=Puppet CA ca.clientsite.com
Validity
Not Before: Sep 26 21:10:12 2010 GMT
Not After : Sep 25 21:10:12 2015 GMT
Subject: CN=puppetmaster1.internal.clientsite.com
...
X509v3 Subject Alternative Name:
DNS:puppet, DNS:puppet.internal.clientsite.com
...
So in the first step, the puppet agent checks the certificate has not
expired (Validity) and the issuer must ultimately be linked to the
root CA in ca.pem. In this discussion the issuer is simply the built
in CA. The second step, it ensures the CN or the subject altname
matches the puppet master DNS.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
