I'm about to deal with the same issue. This certainly isn't a Mac only issue.
The way I see it a "puppetca --clean <machineName> needs to be executed on the server. I figure either a puppet admin has to do it, which it labor intensive, or a script can do it. I haven't figured out a way for the script to know which certs to clear though. I was thinking of setting up an authenticated web page that would allow field techs to submit a FQDN to a list, then a cron job on the server would check the list every X minutes and clear those certs. What do other shops do? Please let us know. --- Thanks, Allan Marcus 505-667-5666 On Jun 30, 2009, at 12:26 PM, engle wrote: > > I am trying to come up with a workable solution in managing numerous > Mac workstations allowing a high degree of flexibility with regards to > certs. > > My puppet environment is setup to application installation on machines > that have been 'imaged' with a base OS and the puppet and facter apps. > So, when a Mac is 'imaged' and subsequently re-booted, puppet is run > at startup, a cert is created and autosigned (I know that is not > recommended...but...) and queries are performed on our LDAP database > and apps are installed based upon the Mac's membership in various > groups. > > My issue is with machines that need to be re-imaged. I am not real > well versed on how certs and CA's function, but the newly imaged > device fails to get a new cert from the CA(puppetmaster) and the CA > complains that it has a cert for the device that does not match the > request. > > So, would it be best to use a single cert for all of the clients or is > there a better way to deal with this sort of setup? > > Thanks for any replies, > > Kurt Engle > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
