Many thanks - this is now working better. What was tripping me up was that if the puppet agent has tried to run, and there is a certificate request on the master, then the next run of the agent either doesn't try to get the coresponding certificate signed or else the auto-signing is silently blocked. Is this a bug, a feature, or just a misunderstanding on my part?
What are the security implications of allowing clients to manipulate certificates in this way? For now at least I will restrict this to the subset that are likely to need frequent rebuilds. Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower, EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ >-----Original Message----- >From: Luke Bigum [mailto:luke.bi...@lmax.com] >Sent: 24 April 2012 09:42 >To: puppet-users@googlegroups.com >Cc: C R Ritson >Subject: Re: [Puppet Users] autosign > >Autosigning certificates work, what you're probably running into is that >autosigning does not clear off an old Agent's certificate, so you're >getting certificate mismatch errors. Puppet's RESTful API allows you to >manage certificates. It's been a long time since I tested this but I >have this in my auth.conf: > >#allow hosts to manage certificates >#path /certificate_status/([^/]+)$ >path /certificate_status/ >auth any >allow * > >And then I do this in a kickstart file to have each server delete it's >certificate before it generates a new one and contacts the Puppet Master >for the first time: > >curl -k -X PUT -H "Content-Type: text/pson" --data >'{"desired_state":"revoked"}' >https://puppet:8140/production/certificate_status/$HOSTNAME >curl -k -X DELETE -H "Accept: pson" >https://puppet:8140/production/certificate_status/$HOSTNAME > >Check out this page for more information: > >http://docs.puppetlabs.com/guides/rest_api.html > >-Luke > >On 24/04/12 09:34, C R Ritson wrote: >> Does autosign work? I have a scratch workstation that may be rebuilt >frequently and will therefore acquire a new client certificate. I was >hoping that adding its certificate name to /etc/puppet/autosign.conf on the >puppetmaster would allow just this one client to have its new certificates >autosigned. This doesn't appear to work and I can find no logged errors >telling me what is wrong. Can someone suggest where to look, please? >> >> >> Chris Ritson (Computing Officer and School Safety Officer) >> >> Room 707, Claremont Tower, EMAIL: c.r.rit...@ncl.ac.uk >> School of Computing Science, PHONE: +44 191 222 8175 >> Newcastle University, FAX : +44 191 222 8232 >> Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ >> > > >-- >Luke Bigum > >Information Systems >Ph: +44 (0) 20 3192 2520 >luke.bi...@lmax.com | http://www.lmax.com >LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN > > >FX and CFDs are leveraged products that can result in losses exceeding >your deposit. They are not suitable for everyone so please ensure you >fully understand the risks involved. The information in this email is not >directed at residents of the United States of America or any other >jurisdiction where trading in CFDs and/or FX is restricted or prohibited >by local laws or regulations. > >The information in this email and any attachment is confidential and is >intended only for the named recipient(s). The email may not be disclosed >or used by any person other than the addressee, nor may it be copied in >any way. If you are not the intended recipient please notify the sender >immediately and delete any copies of this message. Any unauthorised >copying, disclosure or distribution of the material in this e-mail is >strictly forbidden. > >LMAX operates a multilateral trading facility. Authorised and regulated >by the Financial Services Authority (firm registration number 509778) and >is registered in England and Wales (number 06505809). >Our registered address is Yellow Building, 1A Nicholas Road, London, W11 >4AN. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
