On Thursday, January 9, 2014 6:40:42 AM UTC-6, [email protected] wrote: > > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use all > those nice features that make a Puppet installation complete: specially > hiera searches and PuppetDB. Modules, too, should be compatible with other > clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have > just checked myself if autosign works if the same node was already > registered in the CA... but according to the documentation it does not look > like it, not to mention the security issues that come with it. > > Does the certificate name need to match the fqdn for puppet to allow > connections? > >
I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to *identify* it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
