As I understand it, if the client has a new set of certs, when the client talks to the server the server will reject the client since the certs on the client don't match what the server signed. The answer when the client has a new set of certs is to run a puppetca --clean <certName> on the server (as root). This is why you need something on the server.
As an aside, I'm happy to help you with your Mac script issue. Contact me directly. Send me yoru script and how you are running it. Ideally you are using a run at load launchd job. the more I think about it, the more I am convinced that using the Mac's serial number is the least worst option for cert name. There is still the issue of the machine being reimaged that would require the cert to be cleaned on the server, but using the serial number would allow the host name to change and not screw up the store config DB. --- Thanks, Allan Marcus 505-667-5666 On Jul 8, 2009, at 2:18 PM, Kurt Engle wrote: > So are you wanting the cert cleaning and creation to happen > everytime a client contacts the puppetmaster? > > What I am looking for is a script that will run on a newly imaged > client that run at bootup before the puppetd process is started. > That script would delete any cert on the puppetmaster and then the > script would delete itself on the client. The issue that I am having > is with clients that have been using puppet but are then 're- > imaged'. Once a device is running puppet, it works fine unless it is > re-imaged. > > This seems like a more elegant solution in my environment than > trying to do this on the puppet server side of things. Besides, > doesn't the client need to us its cert to talk to the server in the > first place? If that cert is 'bad' then how would it talk to the > puppetmaster server and have the server delete its bad key? > > Now, anybody have any good resources for writing startup scripts on > a Mac client? I seem to be having problems getting a script that > runs fine on the command line to work at startup. > > -kurt > > On Fri, Jul 3, 2009 at 6:12 AM, Gary Larizza <glari...@mac.com> wrote: > > I love where this thread is going, I too share in this problem. > > Kurt: Puppet is still being run on the client because the client is > using a cached config (am I right on this guys?). > > I love the scripted ssh key, but ALSO love the PHP script that could > be CURL-ed from the client. Will a PHP script be able to capture the > hostname of a connecting client? From there, the php script could > call puppetca to clean the cert and create a new one...would this be > cleaner than bundling a cert with your base-image? Unfortunately, I'm > not that versed in PHP to hash a script out from scratch. Does anyone > have a rough outline that we could steal? > > -Gary > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
