autosign with --allow-dns-alt-names
104 views
Skip to first unread message
Dejan Golja
Nov 19, 2014, 11:13:11 PM11/19/14
to puppet...@googlegroups.com
All,
I was wondering if it's possible to change the autosign behavior that it will allow to autosign certs with alternative DNS entries. Currently the problem is if an auto scaling events create another master the autosign on CA will fail, because it has alternative DNS entries.
We also tried to use an external autosign script, but the result is the same.
I understand that's a potential security risk, but we have other measures in place to make it safe. Alternatively we could embed the presigned certs in the cloud init process, but we would like to avoid that.
thank you,
Dejan
I was wondering if it's possible to change the autosign behavior that it will allow to autosign certs with alternative DNS entries. Currently the problem is if an auto scaling events create another master the autosign on CA will fail, because it has alternative DNS entries.
We also tried to use an external autosign script, but the result is the same.
I understand that's a potential security risk, but we have other measures in place to make it safe. Alternatively we could embed the presigned certs in the cloud init process, but we would like to avoid that.
thank you,
Dejan
Felix Frank
Nov 22, 2014, 4:00:21 PM11/22/14
to puppet...@googlegroups.com
On 11/20/2014 05:13 AM, Dejan Golja wrote:
> I was wondering if it's possible to change the autosign behavior that
> it will allow to autosign certs with alternative DNS entries.
> Currently the problem is if an auto scaling events create another
> master the autosign on CA will fail, because it has alternative DNS
> entries.
Hi,
> I was wondering if it's possible to change the autosign behavior that
> it will allow to autosign certs with alternative DNS entries.
> Currently the problem is if an auto scaling events create another
> master the autosign on CA will fail, because it has alternative DNS
> entries.
can you elaborate on your problem? I don't really see what's going on.
Who has alternative DNS entries? How does this interfere with your
autosigning?
Thanks,
Felix
Reply all
Reply to author
Forward
0 new messages