We've been tracking Bug 3360: https://projects.puppetlabs.com/issues/3360
which controls what the puppetmaster does when it receives a new CSR for a host that already exists. Like you and and OP, we have little to no use for the security aspects of Puppet's CA design, and build in a completely trusted environment. I *think* when 3360 goes live, most of our CA issues will be resolved. It may not be a perfect match the "re-signing" thing the OP is describing here, or your particular situation, but it's worth paying attention to. D On Apr 13, 2011, at 2:39 PM, Jake - USPS wrote: > I also am looking to do something like this. So besides it being a > bad idea, is there a way to do it? > > Thanks, > Jake > > On Mar 11, 3:38 am, Patrick <[email protected] > esslingen.de> wrote: >> On 8 Mrz., 14:54, Disconnect <[email protected]> wrote: >> >>> Alternately, running thepuppetcacleanbefore starting the new client will >>> result in the standard unsigned behavior. >> >> Maybe, but it would be nice to save this extra afford. In our case, >> we do not want the security features of puppet. >> >>> (I do think its pretty broken that trying once with the wrong cert poisons >>> the client - if it is an attack, they can just wipe the client cert again, >>> and if it isn't - eg in your case - then it breaks..) >> >> We know, but we are using build servers in a trusted network.. The >> buildservers are often reinstalled and we do not want to manage the >> certificates. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
