As Steven said, it is normal for a puppet-master not to allow a re-imaged 
machine until the certificate is re-generated. I will point out that depending 
on the your environment, it may be a security risk to any client to 
authenticate against the puppet-master. 

For my environment, I explicitly disable autosign and manually sign most 
machines (I may re-enable it once I move Puppet into a cluster that allow me to 
explicitly allow/disallow access at a layer 4 level). it takes some work, but I 
am not building hundreds of machines a day (yet). Even then, you can mass sign 
the machines with:

puppet cert sign --all

That said, you can pre sign the certs with:

puppet cert --generate client.fqdn

and then integrate as part of your build process. That way, if you need to 
rebuild the machines, you can just use the same cert without having to re-sign 
the client again.

- Rilindo

On Oct 3, 2012, at 11:18 AM, RedJinnee <redjin...@gmail.com> wrote:

> Hi, 
> I have upgraded my puppet master to 2.7 with autosign enabled, it works 
> great, the only issue I have it that when I re-image any client machine (blow 
> away /var/lib/puppet ) folder and try to run puppet again, it fails to 
> authenticate. 
> The solution will be to (revoke + clean) the certificate of the client from 
> the puppetmaster then remove /var/lib/puppet from client and re-run puppetd 
> on client. 
> 
> Is this a normal behaviour from puppet 2.7 ? or should the client look up if 
> the master has an old certificate and just use it, rather than asking for new 
> one.
> 
> an insight will be helpful.
> 
> /etc/puppet$ cat autosign.conf 
> *.localdomain.local
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To view this discussion on the web visit 
> https://groups.google.com/d/msg/puppet-users/-/81blhmqfeSsJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to