On Jan 18, 2011, at 6:08 AM, Derek Tracy wrote: > I think that is the workflow I am going to use, before I kick off the rebuild > run > > puppetca --clean <fqdn> > > and keep the <fqdn> in the autosign.conf so when it rebuilds and kicks off > the puppet service the ca just autosigns the cert. It would be nice to be > able to set a special key/password that the puppet daemon could send that > would tell the ca to revoke previous keys and autosign a new key for that > host.
We create the puppet certs and keys on the server using generate, and copy them out in a similar way. Here's a script that, when run as root on the client, will copy keys and certs created using generate to the client. Please read all comments before running this script. #Get the hostname that will be on the cert export dest_name=`facter fqdn | tr [:upper:] [:lower:]` #If run on the server, aport because this was an accident. #Note that "imba" is part of the server's fqdn echo $dest_name | grep imba && exit -1 #Don't let puppet mess with what we're doing service puppet stop mkdir /root/.ssh #Sample lines to remove the ssh key warnings. Replace with your own keys #These were truncated, expect yours to be much longer echo "|1|IFcJPOzu" >> /root/.ssh/known_hosts echo "|1|R+6Dna" >> /root/.ssh/known_hosts #Replace the hardcoded server name with your own. scp "simba.outer:/var/lib/puppet/ssl/ca/signed/"$dest_name".pem" "/var/lib/puppet/ssl/certs/" scp "simba.outer:/var/lib/puppet/ssl/certs/ca.pem" "/var/lib/puppet/ssl/certs/" scp "simba.outer:/var/lib/puppet/ssl/private_keys/"$dest_name".pem" "/var/lib/puppet/ssl/private_keys/" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
