I understand your point. I guess the SSL layer will render the request as illegitimate, but even if it doesn't, it may be playing with fire :)
Thanks all for your thoughts, let me then present this as a generic question: did anybody try puppet on image-based systems? It would be wonderful to get some first-hand hints. Thanks again! BR/Pablo On 01/09/2014 04:05 PM, jcbollinger wrote: > > > On Thursday, January 9, 2014 6:40:42 AM UTC-6, [email protected] wrote: > > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use > all those nice features that make a Puppet installation complete: > specially hiera searches and PuppetDB. Modules, too, should be > compatible with other clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. > I have just checked myself if autosign works if the same node was > already registered in the CA... but according to the documentation > it does not look like it, not to mention the security issues that > come with it. > > Does the certificate name need to match the fqdn for puppet to > allow connections? > > > > I'm not certain, but even if not, what you propose is dangerous. The > master uses the certificate presented by the agent not just to > authorize the agent, but also to /identify/ it. If all your nodes > present the same certificate to the master, then they all claim to be > the same machine, which is a lie. I don't foresee any specific > failure scenarios associated with that, but it is unwise to mess with > the system's underlying assumptions in such a way. > > > John > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out.
