Can I close Puppet SSL function?

[Richard]

         i want to know if Puppet SSL function can be closed and the connnection between master and client through ssl can be changed

[jcbollinger]

On Monday, October 20, 2014 1:17:51 AM UTC-5, Richard wrote:

         i want to know if Puppet SSL function can be closed and the connnection between master and client through ssl can be changed

In what context? For what purpose?

Puppet uses SSL to authenticate master to agent and agent to master, and to secure communications between them.  Their connections are of limited duration -- they are closed once the agent obtains everything it needs to perform one catalog run.  Premature closure will result in the agent aborting the run and trying anew to obtain a catalog.  You can load balance among equivalent masters, but (for different reasons) you cannot shift between different masters to serve one catalog request.


John

[Richard]

thanks, i want to use the ip address as the hostname in kick command,like kick -p 10 --host 192.168.1.101, but this ssl verify failed. the ip of every computer probable be changed at any time , so i can't use the ip as the cert name.
在 2014年10月20日星期一UTC+8下午9时41分58秒，jcbollinger写道：

[jcbollinger]

On Monday, October 20, 2014 8:12:30 PM UTC-5, Richard wrote:

thanks, i want to use the ip address as the hostname in kick command,like kick -p 10 --host 192.168.1.101, but this ssl verify failed. the ip of every computer probable be changed at any time , so i can't use the ip as the cert name.

This objective has nothing to do with what you asked, then.  Kick requests are separate from catalog requests already.

Have you configured your nodes as described in the documentation?  In particular, have you configured the node's auth.conf as described?

Perhaps you have, because it sounds like its the master that is complaining about authentication.  If that's the case -- though I don't know why it should be if the node permits unauthenticated kicks -- then you are probably out of luck.

Generically speaking, the SSL verification is trying to check that the certificate received belongs to the machine to which you thought you were connecting, by matching a known machine identifier to one of the names recorded in its certificate.  If the only machine identifier you have is a transient one, then such verification cannot work.

Perhaps you do have a persistent ID you could use, though.  For example, you could use MAC address for your certnames.  Supposing that you have a mapping between MAC addresses and IP numbers (e.g. from your DHCP server), then I suspect you could patch something together.  Not so easily though -- the kinds of things I have in mind probably would require writing a custom name service plugin for use on the master.


John

[Richard]

thanks for your help

在 2014年10月21日星期二UTC+8下午9时12分04秒，jcbollinger写道：