Hi Felix, thanks for your reply. Yeah, I read that documentation, but this still seems not so clear to me. Here is my situation: I installed puppet on several hosts and signed certificates for them on master with puppetca some time ago. Recently I decided to rewrite my manifests and deny all servers to retrieve configs from master for that time. So I did puppetca --clean --all. This deleted all certificates from master as I wanted, but hosts are still fetching configs and I can't stop this now. I can't revoke them as well because puppetca says there is no certificate for any host on master. Probably I can generate the certificates on master for all the hosts and then revoke them, but this solution looks not right to me (and I'm not sure this will work ok), is there any more proper way to do this? If no, how can I let the hosts to continue to retrieve configs after revoking certificates from them?
Thanks for all help and suggestions! -- Paul Johnson 2009/1/18 Felix Schäfer <schae...@cypres-it.com> > > Hello, > > Am 17.01.2009 um 19:25 schrieb Paul Johnson: > > > I have an issue with removing certificate from puppetmaster. When I > > initially connect from client to master, then sign csr using > > puppetca on master I can successfully retreive catalog on client, > > but if I run puppetca --clean $hostname I am still able to retrieve > > facts and catalog from master. I even deleted signed certificate > > from $ssldir/ca/signed folder on master and still able to retrieve > > catalog. How can this be fixed? > > > --clean is not the same as --revoke: the former removes a host from > the list of pending requests, the later removes the "right" of a > client to talk to the master. Have a look at > http://reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity > for more details on certificates in puppet. > > Felix Schäfer > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
