The manner in which Puppet manages its ssl certification is an atrocity: dropped requests, broken revoking and more obscure error messages forwarded from the bowels of openssl than I can shake a stick at. Such problems are so obtuse that I’ve found it more simple just to purge puppet and puppetmaster from my cluster machines and start over from scratch. Clearly this will not fly once I’m into production.

The Puppet manual glosses over these difficulties by providing you a virtual machine image with which to play, all pre-configured and humming. While convenient, it obscures an important problem: managing ssl certificates is too damned complicated and Puppet is terrible at aiding the end-user in this task.

1. hamiltonert liked this
2. mitcheller liked this
3. dictionaryde2 liked this
4. security980dek liked this
5. zentrope said: Sometimes the idea of putting everything in debian packages and then just pulling them down on a schedule starts to make sense.
6. troutwine posted this