Thanks for the suggestions. Wouldn't I achieve the same outcome with using a single cert for all machines without the need for special scripts to delete certs from the server and delete files from the client? Also, with respect to autosign... would I really be able to turn it off using the SSH method below? Doesn't the client still have to ask the server for a cert after it has been re-imaged? With a single cert, it seems that the client would already have a cert that I have distributed with the image and therefore, would not have to ask for a cert and autosign could be turned off.
-kurt On Tue, Jun 30, 2009 at 4:47 PM, Nigel Kersten <nig...@google.com> wrote: > > On Tue, Jun 30, 2009 at 4:32 PM, Michael Semcheski<mhsemche...@gmail.com> > wrote: > > > > On Tue, Jun 30, 2009 at 6:36 PM, Kurt Engle<kurt.en...@gmail.com> wrote: > >> Our imaging process takes an OS base image with a few apps that include > >> Puppet and Facter and installs it on the make. This over the network. > When > >> the Mac reboots it sets the hostname of the computer to the Mac's serial > >> number and auto starts puppet. I do have my puppetmaster (CA) set to > >> autosign certs iliminating my intervention. This process is working > well. > > > > What if you add an ssh key to the base OS image, and a script to be > > run that contacts the puppet server using the ssh key, and clears any > > cert that may exist for that client. (It could also add the newly > > created cert..) You can set the ssh server to recognize that when > > that key (from the base image) is used, the only command that may be > > run is /usr/sbin/puppetca. > > > > That way, when the machine is reimaged, after its first boot it takes > > care of the certification issue. Then, once puppet is running on the > > machine, you could have it remove the ssh key and the startup script. > > I like this idea. You could even turn off autosign then. > > > > -- > Nigel Kersten > nig...@google.com > System Administrator > Google, Inc. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
