2010/7/10 Jesús M. Navarro <jesus.nava...@andago.com> > Hi: > > On Saturday 10 July 2010 19:11:12 Patrick Mohr wrote: > > On Jul 10, 2010, at 7:57 AM, Peter Meier wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On 07/10/2010 04:54 PM, Patrick Mohr wrote: > > >> On Jul 9, 2010, at 11:58 PM, James Turnbull wrote: > > >>> Certificates cleaned with puppetca (or puppet cert) are now also > > >>> revoked. > > >> > > >> Is there some way to clean a cert (using puppet cert) without > > >> revoking it? Something like "puppet cert --clean hostname.domain > > >> --no-revoke". > > > > > > afaik, not. But could be a feature request. On the other hand, what's > > > the use case? > > > > This isn't my usecase so I don't care, but since you ask... > > > > Suppose you have machines that: > > *) Don't get any sensitive information through puppet. > > *) Are re-imaged often using PXE+preseeding or PXE+kickstart > > *) All the computers have names in the form of "lab-client-*.domainname" > > > > Someone said that in this case you can put "puppetca --clean > > lab-client-*.domainname" as a cron job, and put "lab-client-*.domainname" > > in autosign.conf. > > > > Again, I don't do this, so don't do it for me. > > I don't see that to be a use case in need of a "no-revoke" option. Once > you > delete the old machine and re-image it with "PXE+preseeding or > PXE+kickstart" > it won't get the old certkey so it'll need to be resigned anyway: to all > practical purposes it's a new machine, so no benefit on not revoking the > old > one. > > But I was saying clean out all client certs and private keys (for clients in this group) off the server once per hour. Meaning you are running clean while the client exists and has a valid cert/key combo.
I guess you would always do the same thing with two "rm" statements in the cron job instead. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
