Reusing host names with puppet and SSL certificates

[Galed Friedmann]

Hello all,

I'm trying to figure some things out with SSL and would appreciate some help or best practices here.

I'm implementing auto scaling over Amazon EC2 for some services I have, all of the instances are based on the same AMI and I'm using Puppet to configure the hosts when they come up to make sure they have the latest configuration, also I'm using some exported resources in order to configure other instances that need to use their details.

My auto scaling environment is supposed to be dynamic and go up and down as needed, I also need to use host names that will differentiate one host from the other and have some ID. Currently when a host comes up it gets an ID between 1 and 25 (depends on what's available) and comes up.

My problem is that sometimes a node goes down, and then a new node comes up and takes it's number (which is alright), but then puppetmaster refuses to let it come up because obviously it now has a different SSL certificate than the one that was previously up.

Is there a best practice or a solution for this problem? I do need to use the same hostnames sometimes for instances that generate new certificates when they come up, I've been trying to clean the certificates once in a while for instances that are no longer responding but that didn't go very well and I also understand that I need to restart the master in order for that to take effect which I don't want to do.

Once solution that I thought about is to generate a certificate for each hostname and make sure that when an instance comes up it gets the specific certificate that was already generated and signed by the master. Is this a good idea? Any other thoughts about this?

Thanks,

Galed.

[James A. Peltier]

----- Original Message -----
<snip>|

| Is there a best practice or a solution for this problem? I do need to
| use
| the same hostnames sometimes for instances that generate new
| certificates
| when they come up, I've been trying to clean the certificates once in
| a
| while for instances that are no longer responding but that didn't go
| very
| well and I also understand that I need to restart the master in order
| for
| that to take effect which I don't want to do.
|
| Once solution that I thought about is to generate a certificate for
| each
| hostname and make sure that when an instance comes up it gets the
| specific
| certificate that was already generated and signed by the master. Is
| this a
| good idea? Any other thoughts about this?
|
| Thanks,
| Galed.
|

I use server generated certificates and copy those certificates to the host upon re-install. Works very well for me.

--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpel...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have

[Alexandre Fouché]

As far as i could see, the Puppet cloud provisionner also generates a random name and creates a certificate request based on it. Then Puppet client is run with the certname option, set with this previously generated hostname

2011/10/17 James A. Peltier <jpel...@sfu.ca>

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.