Hi! We have a setup with a puppetmaster CA and several servers (AWS instances) which are spawned depending on the workload. On a daily basis from 50 to 100 instances can be spawned and shutdown (not at the same time), and what occurs is that a new server can have the IP and hostname . When a new certificate is created due to a new instance, this goes down after a while and if right after that a new instance with this just released IP (an IP 1.2.3.4 sets the hostname ip-1-2-3-4 in AWS, for example) is spawned, we get the usual SSL error as the private key has changed (a new one was generated in the last instance). I have tried a quite dirty solution which involved a task running almost continuously which took every certificate from the SSL folder in the puppetmaster, and as the hostname(certname) includes the IP(just replace - with .), the script checked every IP against the whole list of IPs we have up at that moment, but in the end we are facing some race conditions due to timings so it just worked fine for a while.
It seems that we need a solution that is in sync with the state of the server when it boots up and it is shut down. Not all instances involved in this are located in a "Auto Scaling Group", so a solution I checked related to send notifications to a SNS queue sadly would not work for us. We though of a solution which involved creating a new certificate, which should be stored in disk and add the directive certname in puppet.conf so every server presents the same certificate with the same private key and cert. We are already using autosign and as the puppetserver is only on the local network and firewalled it should not be a security issue to share the same certificate among our servers. We tested it manually, but we are afraid we will face another issue we did not foresee as it happened with the task I mentioned before. Has anyone tried any of these solutions or are using a different approach? Thanks a lot! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/894c6a3c-110c-43ea-8136-783da121d83f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
