I use a different scheme for doing this in our environment. When I reimage
physical hardware I use an unattended Kickstart script that does the
following:
* Saves an private key to /tmp/puppetkey via a here document (allows me to
embed it into the script and SSH wants it as a file)
* Uses SSH with '-i /tmp/puppetkey' to connect to the puppetmaster. The
command passed is the FQDN of the system to be reinstalled.
* On the Puppetmaster, I set up an authorized_keys entry for that key that
prepends command="/opt/puppetlabs/bin/puppet node clean
$SSH_ORIGINAL_COMMAND". This restricts SSH to only running that command
for connections involving that key. It will pass the command argument (the
FQDN) along as $SSH_ORIGINAL_COMMAND.
Now, this all assumes that you're not on a public network and thus are
comfortable using services such as SSH in this fashion. I haven't tried
the curl method. My only concern is whether or not curl exists in
installation images. SSH almost always does.
Hope this helps someone.
Jeffrey.
On Tue, Jul 14, 2020 at 6:22 PM Randy Zagar <jrza...@gmail.com> wrote:
> Did you ever get this to work? I used a similar method in an engineering
> lab where systems regularly got re-imaged and, hence, needed to be able to
> revoke and clean their own cert on the puppet-ca
>
> On Thursday, August 17, 2017 at 12:23:10 PM UTC, Jason McMahan wrote:
>>
>> Good morning,
>> We installed a puppet agent on our citrix mgmt servers.
>> The problem became that the way it is done a golden image is used,
>> server_dev. Once sealed that spins off multiple other servers for stage and
>> prod environments.
>>
>> We want to know about the servers, ensure they are in configuration and
>> not drifting between rebuilds and keep reports for a history on them.
>>
>> The idea was to once they are done stop the service (not disable), delete
>> the ssl directory, then revoke and delete the cert on the puppetca.
>>
>>
>> Has anyone else attempt to revoke and delete cert remotely from the
>> puppetca?
>>
>> We are attempting a curl command like
>> curl -X DELETE --tlsv1 --cacert
>> /etc/puppetlabs/puppet/ssl/certs/ca.pem --cert
>> /etc/puppetlabs/puppet/ssl/certs/server.pem --key
>> /etc/puppetlabs/puppet/ssl/private_keys/server.pem -H "Accept:
>> application/json" -H "Content-Type: application/json" -d
>> '{"desired_state":"revoked"}'
>> https://puppetcat:8140/puppet-ca/v1/certificate_status/server?environment=production
>>
>> But everytime we get forbidden 403 whether running curl command from
>> remote server or even the puppetca itself.
>> Attemped to add ip to
>> /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf as well as
>> /etc/puppetlabs/puppetserver/conf.d/ca.conf but still same error.
>>
>>
>> Any help or suggestions would be greatly appreciated.
>> Thank you
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/8c9be388-990e-4d02-a376-b1d1dca394c9o%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/8c9be388-990e-4d02-a376-b1d1dca394c9o%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAMvPdm1wssY81SCjB4CxuueVyZ00bY4ZgLyTrkyZyTohQcxYag%40mail.gmail.com.
