These servers only exist in RAM, so when they shutdown, all data is lost. Julien also said that there's over a hundred of them. If you are manually signing every time they reboot, you probably won't be diligent enough to catch an impostor that can use the PXE server. At that point, you might as well just put the cert in the PXE image. I don't like my solution, but I think it's better than manual signing unless you have persistent storage on the puppet clients.
Ah, I missed the dynamic part. I agree, manually signing hundreds of servers would be annoying. Unless you scripted it and had it email you when it signed a cert... at least you'd have some sort of trail. If you get an email at 2 AM in the morning that a new server cert was signed... well, that may not be a good thing :)
-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
