On Wed, Jul 1, 2009 at 9:02 AM, Kurt Engle<kurt.en...@gmail.com> wrote: > Thanks for the suggestions. > > Wouldn't I achieve the same outcome with using a single cert for all > machines without the need for special scripts to delete certs from the > server and delete files from the client?
I like being able to still revoke an individual certificate centrally. > Also, with respect to autosign... > would I really be able to turn it off using the SSH method below? Doesn't > the client still have to ask the server for a cert after it has been > re-imaged? With a single cert, it seems that the client would already have a > cert that I have distributed with the image and therefore, would not have to > ask for a cert and autosign could be turned off. > I think the plan would be to ship an ssh key on the image and do: * ssh to puppet CA, generate cert * copy certificate(s) to client Then the client wouldn't need to ask for a certificate. > -kurt > > > On Tue, Jun 30, 2009 at 4:47 PM, Nigel Kersten <nig...@google.com> wrote: >> >> On Tue, Jun 30, 2009 at 4:32 PM, Michael Semcheski<mhsemche...@gmail.com> >> wrote: >> > >> > On Tue, Jun 30, 2009 at 6:36 PM, Kurt Engle<kurt.en...@gmail.com> wrote: >> >> Our imaging process takes an OS base image with a few apps that include >> >> Puppet and Facter and installs it on the make. This over the network. >> >> When >> >> the Mac reboots it sets the hostname of the computer to the Mac's >> >> serial >> >> number and auto starts puppet. I do have my puppetmaster (CA) set to >> >> autosign certs iliminating my intervention. This process is working >> >> well. >> > >> > What if you add an ssh key to the base OS image, and a script to be >> > run that contacts the puppet server using the ssh key, and clears any >> > cert that may exist for that client. (It could also add the newly >> > created cert..) You can set the ssh server to recognize that when >> > that key (from the base image) is used, the only command that may be >> > run is /usr/sbin/puppetca. >> > >> > That way, when the machine is reimaged, after its first boot it takes >> > care of the certification issue. Then, once puppet is running on the >> > machine, you could have it remove the ssh key and the startup script. >> >> I like this idea. You could even turn off autosign then. >> >> >> >> -- >> Nigel Kersten >> nig...@google.com >> System Administrator >> Google, Inc. >> >> > > > > > -- Nigel Kersten nig...@google.com System Administrator Google, Inc. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
