Martijn, Sorry for the delay ... but yes, in the future we don't mind sharing this 'cert-api' code. Unfortunately today its not in a terribly share-able state. It was quite literally my 2nd python-program ever, written 3+ years ago, and written in a short-term hacky way because we naively believed that the PuppetLabs folks would ultimately solve the whole 're-signing certificates' problem (seriously ... 2011 ... http://projects.puppetlabs.com/issues/7272).
At this point, we're in the midst of a full puppet-server-redesign, and part of that is going to include a ground-up fresh cert-api daemon. Its simple code, so we should get it done within a few days of beginning, but we just havn't quite started yet. When we do, though, it'll definitely be opensourced. The basic model is that we set our SSL certs to expire after 30 days. Our clients run a little cron job daily that says "is the cert expiring in the next 5 days?", and if that is true, it reaches out to our puppet masters and gets its cert renewed. We've been doing this for years now, with over 20,000 hosts (not simultaneously of course... just the number of hosts we've launched in 3 years), and had no problems with the model. We'll be adding some additional features to the API to support things like automatic node deregistration in PuppetDB as well. Matt Wise Sr. Systems Architect Nextdoor.com On Fri, Dec 12, 2014 at 10:40 AM, Martijn <mart...@heemels.com> wrote: > > Matt, I'd be very interested in that 'cert-api' endpoint code once you've > had a chance to work on this. Is there a change you could open-source that? > I think it would be very useful to the community, even if it is imperfect. > > Hope you'll consider it, > Martijn > > Op vrijdag 12 december 2014 18:18:47 UTC+1 schreef Matt W: >> >> We already have what we call a 'cert-api' endpoint on our Puppet servers >> that allows our puppet clients to re-up their SSL certs every 15 days (we >> expire them very quickly). Its not unreasonable to add functionality to >> this endpoint allowing a client to request that its own node be destroyed. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/o-X54IznCD8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxNyYbSGXojtW%3Dk1uy0tGSq98fsTttfEHu-pS4F4Vg9aTg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
