Hi, Regarding this issue of $1 not working have you made sure that the DNS reverse for your server are right? Because puppet master seems to identify the 'allow' from the reverse of the IP resolution...
Regards, JM On Tue, Apr 24, 2012 at 11:52 AM, Luke Bigum <luke.bi...@lmax.com> wrote: > Not sure about the first question, are you saying your Agent had a > non-autosigned certificate waiting on the Puppet Master, then you > configured auto signing on the Master and expected it to work? I think the > autosigning is done only when an Agent first connects and it won't sign any > pending or backlog of certificates (but don't quote me). > > Regarding security, I was originally trying to work with this: > > #allow a host to manage it's own certificate > #path */certificate_status/*([^/]+)$ > path */certificate_status/* > auth any > allow $1 > > Which was supposed to only allow a client to delete it's own certificate > and only it's own. The $1 wasn't working for me though so I fell back to * > (all hosts). > > This allows all Agents full control of all operations under > /certificate_status/, which basically means someone malicious could delete > all your signed certificates, preventing all Agents from checking in. So > definitely some implications ;-) > > If you get auth.conf any more secure, let me know. > > -Luke > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
