On Wed, Jul 1, 2009 at 12:02 PM, Kurt Engle<kurt.en...@gmail.com> wrote: > Wouldn't I achieve the same outcome with using a single cert for all > machines without the need for special scripts to delete certs from the > server and delete files from the client? Also, with respect to autosign... > would I really be able to turn it off using the SSH method below?
The client creates a cert and then gives it to the server. You tell the server to authorize it or not. But that process doesn't necessarilly require manual intervention. It is very scriptable. The ssh method I described would be able to do all of that, and it would probably be simpler to implement than you realize, assuming the freshly imaged machines could ssh to the puppetmaster. The script would be something like this... HOSTNAME=`hostname -f` ssh puppetmaster "/usr/sbin/puppetca --clear $HOSTNAME" puppetd -w 90 ssh puppetmaster "/usr/sbin/puppetca -s $HOSTNAME" Then add a module that removes that script from the machine. In the example I gave above, I can't remember the specific options that puppetca requires, but I think its close. Again, all you need to do is add the ssh key to the base image, and add it to the authorized_keys on the puppetmaster. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
