6

Automatic management of SSL certificate on multiple servers…good or bad

view full story
linux-howto

http://serverfault.com – We're using puppet to manage a group of Ubuntu boxes and will shortly require each of these servers to share a common SSL certificate, in order to serve a site over HTTPS. Naturally, we'd like to use puppet to manage the certificate but are conscious of the fact that putting it in a VCS (from where the puppet master gets its modules) mightn't be a great idea—because of the security implications. Are there any better solutions anyone is aware of? (HowTos)

xskl's picture
Submitted by xskl on 02/15/2012 – Made popular on 02/15/2012

Stories similar to Automatic management of SSL certificate on multiple servers…good or bad

Puppet doesnt sign certs 1 year 20 weeks ago

I have build an testlap for puppet, but it doesnt work. I start the Puppet Agent on the Node and he waits for the Certificate.

I'm getting started with puppet on ec2 using the following guide.

https://help.ubuntu.com/12.04/serverguide/puppet.html

In the very last step when I try to sign the puppet client from the puppet master I get the following error

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com err: Could not call sign: Could not find certificate request for ec2

Puppet agent freeze on Ubuntu 30 weeks 5 days ago

I have 40 Ubuntu 12.04 servers. These servers are managed with puppet. Sometimes I have problem with puppet agent. puppet agent spawn child process (sh) and this process fails. Sh is zombie process. Puppet doesn't work, I must restart puppet agent to make it works.

I use puppet to manage files, packages and services. Problematic agent didn't make any change before fails, server is up to date.

Cannot use puppet on mac osx 10.8, i can find it in /usr/bin/lib but display that when i launch it :

/usr/bin/puppet:3:in `require': no such file to load -- puppet/util/command_line (LoadError) from /usr/bin/puppet:3

Any idea ?

Edit : I want to use puppet in Vagrant VM to do provisioning is it the good way ?

Prefix: I searched this out, but the fact that there are any number of things that can cause this problem, I have been unable to find a solution to this particular case.

I have a puppet master (3.0.2-1; RHEL6) and the /etc/puppet/manifests/site.pp file contains the following:

import 'nodes/nodes.pp' $puppetserver = 'puppet.example.dom'

Naturally, the server domain is not what is in use, but ha

I'm investigating whether I can somehow make the puppet ecosystem utilize our existing Microsoft Enterprise CA rather than being its own CA.

Since puppet touts that all of the system is "standard SSL", my guess is that it is completely possible to do this without much changing of puppet, HOWEVER it's likely a huge manual headache unless puppet is edited to make the proper calls to the enterprise

We are scaling our puppet infrastructure and would like to split off the CA component from the puppet master server to another server. Part of the change involves a servername change for the puppetmaster too.

I'm running into a problem whereby I can't get the ca_server directive to work properly in either the [main] or [agent] section. It's just not taking effect.

I want to have puppet run a specific command before performing any type of change. I am aware of the prerun_command option in the main puppet.conf, but this is not what I'm looking for. I want the command to only run if something is about to change, not on every puppet run.

Here's the scenario. Let's say I have a bunch of web servers behind a load balancer.

I am learning puppet and using this tool install puppet clients on nodes.

puppet node install --login=root --keyfile=~/.ssh/id_rsa --install-script puppet-enterprise --installer-payload ~/puppet/puppet-enterprise-2.7.0-ubuntu-12.04-amd64.tar.gz --installer-answers ~/puppet/installer.answers --puppetagent-certname puppet.node01.example.com 192.168.1.100

Everything seems to work ok.