On Oct 5, 2010, at 5:55 PM, Mohamed Lrhazi wrote: > On Mon, Oct 4, 2010 at 7:17 PM, Nan Liu <n...@puppetlabs.com> wrote: >> Correction. The puppet agent fetches the CA cert and it verifies the >> puppet master cert is signed by the CA cert. If not, the agent will >> not communicate with puppet master due to a cert mismatch. > > Thanks a lot Nan. I think I have just one more clarification to ask... > Where does the client fetch the CA cert from and how often? > > I guess I'll feel all safe if the fetching happens during the initial > setup phase of a new client, and it keeps it locally from that point > on.
I believe the client will not actually save the ca's certificate until the client has a signed cert. After that point it keeps the cert. The distro I use keeps it in /var/lib/puppet/ssl/ca.pem. You can always just put that cert into what ever process you use to install puppet in the first place if you're worried. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
