There is a config option I just started looking at:
allow_duplicate_certs
Whether to allow a new certificate request to overwrite an existing
certificate.
but it seems from
http://comments.gmane.org/gmane.comp.sysutils.puppet.bugs/21676 that
this only works when manually creating certs not in the use case
you're looking for.
The possibly more correct thing would be to save the certificates when
reinstalling or possibly have your installer install the correct certs
for each system this would prevent clients from impersonating each
other.
An other option I'm looking at is using a generic certificate on all
these systems and setting "certname" in puppet.conf so they are all
"ephemeralhost" or some such.
I'm looking for a similar solution for ephemeral virtual systems in a
private cloud (I can also have name space collisions so different
active systems that think they are foo.cloud possibly doing very
different things). So if anyone has better suggestions I'm very
interested in hearing them.
Having used CFengine for more than a decade my advice is run from it.
It was good in it's day but doesn't provide the necessary level of
abstraction, it beats a pile of shell scripts but only just. Puppet
and Chef are both good options depending mostly on personal preference
IMO, I haven't given "Juju" a proper look, which is the Ubuntu way,
if you have a 100% Ubuntu environment it may be worth a look.
-Jon
On Wed, Aug 15, 2012 at 8:53 AM, jerome <jerome.steunenb...@gmail.com> wrote:
> Hello,
>
> I'm new to Puppet and evaluating it against Cfengine and Chef for the
> management of multiple thousands of Ubuntu desktops.
> The desktops can be reinstalled at any time by technical site operators and
> they may or may not change the computer name.
> This happens fairly often and if the name stays the same, I get:
>
> err: Could not request certificate: The certificate retrieved from the master
> does not match the agent's private key
>
> because the desktop's SSL certificate changes when the desktop is rebuilt.
> To solve this problem I need to go on the server and do a:
>
> puppet cert clean <fqdn of client>
> But this is not practical in an environment where many computers can be
> reinstalled at any time.
> Is there a solution to this ? Can the agent tell the master to clean the key
> for its hostname ?
>
> I do not have this issue with cfengine, because the identifier is simply the
> MD5 of the certificate, not the hostname. I just need to cleanup the list of
> unused certificates on the server side every once in a while.
>
> Thanks,
>
> Jerome
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/H5apxlHZdxoJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
