puppetca --!sign

78 views
Skip to first unread message

Marti

unread,
Sep 6, 2008, 2:30:35 AM9/6/08
to Puppet Users
Is there a command to reject a signing request? While obviously I can
--sign then immediately --clean, that's not a terribly good solution,
as it leaves a bit of a race condition loophole. Just trying to --
clean an unsigned cert gives an error. I've looked for documentation
on this, but can't seem to find anything.

If there's not, how would I make a feature request to either have --
clean check for and remove unsigned certs, or to add another command
to to this?

James Turnbull

unread,
Sep 6, 2008, 2:37:40 AM9/6/08
to puppet...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marti wrote:
> Is there a command to reject a signing request? While obviously I can
> --sign then immediately --clean, that's not a terribly good solution,
> as it leaves a bit of a race condition loophole. Just trying to --
> clean an unsigned cert gives an error. I've looked for documentation
> on this, but can't seem to find anything.
>

What's the Puppet version and the error?

Regards

James Turnbull

- --
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIwiU09hTGvAxC30ARAsOSAKCvyIUjxFUqLw6eVuUvZuqkckv55gCfemAY
nejkp0K07NJ0JnBn4z1BFuM=
=GapO
-----END PGP SIGNATURE-----

Evan Hisey

unread,
Sep 6, 2008, 11:21:21 AM9/6/08
to puppet...@googlegroups.com

Why exactly do you need to remove unsigned? or are you looking for a
away to permanently reject a host?

Evan

Marti

unread,
Sep 7, 2008, 1:23:49 PM9/7/08
to Puppet Users
puppet[~]$ puppetca --version
0.24.5
puppet[~]$ sudo puppetca --list
localhost.dhcp.ece.arizona.edu
puppet[~]$ sudo puppetca --clean localhost.dhcp.ece.arizona.edu
Could not find client certificate for localhost.dhcp.ece.arizona.edu

Occasionally my DHCP clients get confused about their hostname; I'd
like to simply reject bad requests like this one.

On Sep 5, 11:37 pm, James Turnbull <ja...@lovedthanlost.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marti wrote:
> > Is there a command to reject a signing request? While obviously I can
> > --sign then immediately --clean, that's not a terribly good solution,
> > as it leaves a bit of a race condition loophole. Just trying to --
> > clean an unsigned cert gives an error. I've looked for documentation
> > on this, but can't seem to find anything.
>
> What's the Puppet version and the error?
>
> Regards
>
> James Turnbull
>
> - --
> Author of:
> * Pulling Strings with Puppet
> (http://www.amazon.com/gp/product/1590599780/)
> * Pro Nagios 2.0
> (http://www.amazon.com/gp/product/1590596099/)
> * Hardening Linux
> (http://www.amazon.com/gp/product/1590594444/)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org

Marti

unread,
Sep 7, 2008, 1:26:43 PM9/7/08
to Puppet Users
Not so concerned about permanently rejecting a host, though if there's
a way to do so, I'd be interested in knowing it. But my main goal is
to be able to keep my CA request queue empty. For now I've been --
signing and immediately --cleaning, but I figured there ought to be a
cleaner way to handle this.

Christian Kauhaus

unread,
Sep 8, 2008, 2:36:11 AM9/8/08
to puppet...@googlegroups.com
Hallo!

Marti <marti...@gmail.com>:


>a way to do so, I'd be interested in knowing it. But my main goal is
>to be able to keep my CA request queue empty. For now I've been --
>signing and immediately --cleaning, but I figured there ought to be a
>cleaner way to handle this.

What you can do is to delete the request manualle from $csrdir, that is
/var/lib/puppet/ssl/ca/requests on a standard puppet installation.

Regards

Christian

--
Dipl.-Inf. Christian Kauhaus <>< · k...@gocept.com · systems administration
gocept gmbh & co. kg · forsterstraße 29 · 06112 halle (saale) · germany
http://gocept.com · tel +49 345 1229889 11 · fax +49 345 1229889 1
Zope and Plone consulting and development

James Turnbull

unread,
Sep 8, 2008, 2:38:29 AM9/8/08
to puppet...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marti

Feature requests at:

http://reductivelabs.com/redmine/

Regards

James Turnbull

- --
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (MingW32)


Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIxMhl9hTGvAxC30ARAgHbAKC7by1CXtEVlPJ5WQvrL0uFtBqJJgCghOfA
NyfM8XI9Njrueu2/W3EkQS4=
=6XSq
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages