On Feb 14, 8:49 am, mukulm <smilemukul2...@gmail.com> wrote: > Thanks for the valuable info but my scenario is option (A) but my > question is if once SSL certificates are signed for a node then how & > due to what reason > the SSL private key changes & what does preserving SSL private keys > means ?
If you can be certain that your nodes all have unique names and if you are not using the "certname" parameter in your puppet.conf or on the command line, then you can rule out scenario B. If you have to ask that question, however, then you cannot be certain that your problem matches scenario A. Perhaps it arises instead by some path that I haven't thought of. Anyway, it sounds like some more information will help you. First off, read http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security. It's a bit dated (for example, the program puppetca is now rolled into the main "puppet" driver as "puppet cert"), but for the most part it's still accurate. The bottom line, however, is that nodes' SSL private keys are stored in files on the node's file system. They will be lost if the file is deleted (such as if the node is wiped and rebuilt), and they can be changed or restored (as can their signed certificates) by changing or restoring the file in which they are recorded. If you frequently rebuild nodes without changing their names, then rather than preserving their keys, it may be easier to revoke nodes' certificates and delete them from the master whenever you rebuild those nodes. Then they should request new certificates, and the master should be willing to sign them. To achieve that, you would run a command like this _on the master_: "puppet cert revoke <certname>; puppet cert clean <certname>" to allow the node to request a new certificate. Also, BE CERTAIN that you do not install a common private key on your nodes, as might happen if you rebuild nodes by applying a pre-made filesystem image that has a Puppet private key in it. Every node should have a distinct private key (which it will generate for itself at first need). John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
