Forum: Cfengine Help Subject: Re: Cfengine Help: Old cfengine client, new localhost.priv localhost.pub keys (Nova) Author: debheller Link to topic: https://cfengine.com/forum/read.php?3,21215,21217#msg-21217
Mike, Thanks for responding! 1. We already do that - we trust our hosts on certain network ACLs. 2. The support script is where I was moving towards, but correlating the host's old pubkey may be an issue. Things have changed from Nova 1.x to 2.x as to how the keys are managed. Modification up-keep is a problem here since history has shown that Cfengine changes things up considerably without letting users know ahead a time what changes to expect (key changes being just one). This is an on-going problem for us. 3. The clones are used instead of kickstart, what have you, at the moment. Since this case had a disk that could not be recovered, we were not able to preserve the private key. A new one was generated, leaving the problem of having a crusty, left-over public key on the server, possibly using up a license. Cleaning up this cruft is the goal. So, it looks like I'm down to identifying the crufty pub key(s) and removing such from the policy & distribution servers. Unfortunately, correlating the key in /var/cfengine/ppkeys is a problem, as there is no hostname associated with the key externally (ie., outside the database) of which I'm aware. This is where I hope there is some function inside of Cfengine that I can use to determine which key goes with which host, without me having to do the work of correlating the key-hostnames upfront. I can hope, right???? :-) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
