Well, the suggestion to have the client do it via a SSH command is a good one and is working for me. Thanks to Michael and Nigel for pointing me in this direction. I just need to formalize the process in my environment.
However (there is always a however). I am still a little shaky on the whole cert process. One thing that I have noticed is that I can run a 'puppetca -c <host>' on the server, but the client <host> is still able to communicate with the server and get its catalog. I do not understand how that could be. -kurt On Thu, Jul 2, 2009 at 8:56 AM, Allan Marcus <al...@lanl.gov> wrote: > > I'm about to deal with the same issue. This certainly isn't a Mac only > issue. > > The way I see it a "puppetca --clean <machineName> needs to be > executed on the server. > > I figure either a puppet admin has to do it, which it labor intensive, > or a script can do it. I haven't figured out a way for the script to > know which certs to clear though. I was thinking of setting up an > authenticated web page that would allow field techs to submit a FQDN > to a list, then a cron job on the server would check the list every X > minutes and clear those certs. > > What do other shops do? Please let us know. > > --- > Thanks, > > Allan Marcus > 505-667-5666 > > > > On Jun 30, 2009, at 12:26 PM, engle wrote: > > > > > I am trying to come up with a workable solution in managing numerous > > Mac workstations allowing a high degree of flexibility with regards to > > certs. > > > > My puppet environment is setup to application installation on machines > > that have been 'imaged' with a base OS and the puppet and facter apps. > > So, when a Mac is 'imaged' and subsequently re-booted, puppet is run > > at startup, a cert is created and autosigned (I know that is not > > recommended...but...) and queries are performed on our LDAP database > > and apps are installed based upon the Mac's membership in various > > groups. > > > > My issue is with machines that need to be re-imaged. I am not real > > well versed on how certs and CA's function, but the newly imaged > > device fails to get a new cert from the CA(puppetmaster) and the CA > > complains that it has a cert for the device that does not match the > > request. > > > > So, would it be best to use a single cert for all of the clients or is > > there a better way to deal with this sort of setup? > > > > Thanks for any replies, > > > > Kurt Engle > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
