Just realized Stuart provided the same answer in an earlier post. Sorry for the duplicate suggestion :).
Steve Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:sniel...@comscore.com ..................................................................................................... Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement www.comscore.com/MobileMetrix -----Original Message----- From: Nielsen, Steve Sent: Wednesday, September 12, 2012 3:29 PM To: puppet-users@googlegroups.com Subject: RE: [Puppet Users] RHEL Kickstart and Puppet certificates If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post. We do this and it provides seamless rebuilds. Thanks, Steve -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Matthew Burgess Sent: Wednesday, September 12, 2012 7:38 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates On Wed, Sep 12, 2012 at 10:51 AM, Ano nym <tuz1...@gmail.com> wrote: > Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new > kickstart we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it > remotely on the master? If you're rebuilding a machine, I'd suggest that you also want to remove any reports, facts and anything else that puppet knows about your old host. Given that, I can't see any other possibility than changing your provisioning process to have a 'puppet node clean' step *before* re-provisioning your host. Additionally, I'd give serious consideration to trying to automate the regeneration of client certs. If someone else comes in to your network, they could give their device the same hostname as an existing puppet-managed host, then via this envisioned automated process, would kick your existing host off, and connect themselves (this assumes you have auto-signing configured). Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
