Nigel, part of the problem is that I do not have a good understanding of what happens during the whole cert process and what will break or make a trust between the client and the server.
Our imaging process takes an OS base image with a few apps that include Puppet and Facter and installs it on the make. This over the network. When the Mac reboots it sets the hostname of the computer to the Mac's serial number and auto starts puppet. I do have my puppetmaster (CA) set to autosign certs iliminating my intervention. This process is working well. The issue comes up when I have to re-image a device. The client is wiped completely and everything including puppet is re-installed. However, if I don't clear the cert on the puppetmaster, the communication fails when the device comes back on-line. It seems that if I could create a 'generic' cert and make it part of the image and instruct the puppet client to always use this cert, then it would not matter if the client was re-imaged or not. Correct? Or am I missing something? Then I could also turn off the 'autosign' function and then only the machines that I have imaged with the generic cert would be able to talk to the puppetmaster. Thanks for your replies and help with this. -kurt On Tue, Jun 30, 2009 at 3:25 PM, Nigel Kersten <nig...@google.com> wrote: > > On Tue, Jun 30, 2009 at 3:19 PM, Kurt Engle<kurt.en...@gmail.com> wrote: > > Pre-generating all the certs would be very time consuming with hundreds > of > > machines to deal with. Also, we would need to create a specific image for > > each machine which would be an even bigger nightmare from my > understanding. > > No. I'm suggesting that you hook this in as a post-action for your > imaging process. Simple to do with NetRestore or DeployStudio or any > of the common Mac imaging programs. > > If you already have an asset database, you could query serials there > and pre-generate them regularly on your CA. It's not a time consuming > process at all to generate hundreds of certs. > > > > We used the serial number as the hostname since the serial number on the > > device does not change. Uuidgen generates a new string each time it is > run. > > > > What I am trying to accomplish is the ability to have a device > communicate > > with the puppetmaster server without need of intervention from me. I need > to > > be able to have a tech at a remote location completely re-image a device > and > > run puppet without having to wait for me do do something with the certs. > > > > Is there a way to install a 'generic' cert on all the clients that I can > > make part of my image so that no matter what happens to the client, it > will > > always have the correct cert? > > Why not switch your CA to autosign then? It sounds like you're needing > to subvert the cert signing process. > > The best solution is going to depend a lot on your imaging process. > How is it currently done? > > > > > -kurt > > > > On Tue, Jun 30, 2009 at 2:24 PM, Nigel Kersten <nig...@google.com> > wrote: > >> > >> On Tue, Jun 30, 2009 at 2:03 PM, engle<kurt.en...@gmail.com> wrote: > >> > > >> > Well, that is what we are doing right now. However, when dealing with > >> > potentially hundred of machines, this gets a little awkward and > >> > unmanageable. We are a school district and spend most of the summer > >> > imaging hundreds of Macs. This is the case every summer. As these > >> > machines change their function during the year, they will have to be > >> > re-imaged thus prompting action on the cert. If we could just image > >> > them with a cert already installed, then there would be no issue. > >> > >> Why can't you do this? Pre-generate all the certs, and add them in as > >> part of your imaging process? > >> > >> Alternatively, stop the mapping between serial and certname, and use a > >> UUID or something for the certname, and work out some way of cleaning > >> out your obsolete certificates. > >> > >> > > >> > The timing of when a device gets re-imaged and when the cert is > >> > deleted is key and hard to achieve in our environment. We do not have > >> > the expertise throughout our staff to allow a sudo operation to delete > >> > the cert. > >> > > >> > What is the process of using a common cert on all the puppet clients? > >> > I would like to test this out to see if it would work for our > >> > environment. > >> > > >> > Thanks > >> > > >> > -kurt > >> > > >> > On Jun 30, 11:36 am, Mike Renfro <ren...@tntech.edu> wrote: > >> >> On 6/30/2009 1:26 PM, engle wrote: > >> >> > >> >> > So, would it be best to use a single cert for all of the clients or > >> >> > is > >> >> > there a better way to deal with this sort of setup? > >> >> > >> >> Run > >> >> > >> >> puppetca --clean host.to.be.imaged > >> >> > >> >> on the puppetmaster as it's being imaged? If you're doing the > >> >> reimaging, > >> >> should just be one extra step in your procedure. If you're not the > one > >> >> doing the reimaging, can you set up a sudo entry on the puppetmaster > to > >> >> allow the other folks to clean old certs? Or set up a simple web form > >> >> to > >> >> clean a particular cert? > >> >> > >> >> Other than that, I guess another option would be to save the puppet > ssl > >> >> directory before the client drive gets reformatted, and restore it > back > >> >> to the drive before puppet starts up again. > >> >> > >> >> I'd be wary of using the same certs on multiple systems unless they > >> >> were > >> >> in an isolated environment (and possibly even then). Same reason as > for > >> >> not using the same ssh host key for all your systems. > >> >> > >> >> -- > >> >> Mike Renfro / R&D Engineer, Center for Manufacturing Research, > >> >> 931 372-3601 / Tennessee Technological University > >> > > > >> > > >> > >> > >> > >> -- > >> Nigel Kersten > >> nig...@google.com > >> System Administrator > >> Google, Inc. > >> > >> > > > > > > > > > > > > > -- > Nigel Kersten > nig...@google.com > System Administrator > Google, Inc. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
