I also am looking to do something like this. So besides it being a bad idea, is there a way to do it?
If not, I was wondering if there is a way to check the last time when a client signed in to a puppet master. I know with puppet-dashboard you can view this type of information, is it easy to also check if a system checked within the past hour from cmd line on the system that is hosting the puppet-dashboard thus the system with all the reports? This way if UNIX SAs are to be forced to revoke a cert before building, I can perhaps create a script and at least check when the last time a system checked in and issue warnings if it recently checked in. See, while you have valid arguments on why its bad to just sign over a cert, I think it could also be bad to have regular admins revoke certs before a new build ... ooops, we just revoked the wrong hostname and didn't notice ... now a system can't checkin anymore until someone notices and then fixes it. Thanks, Jake On Mar 11, 3:38 am, Patrick <[email protected] esslingen.de> wrote: > On 8 Mrz., 14:54, Disconnect <[email protected]> wrote: > > > Alternately, running thepuppetcacleanbefore starting the new client will > > result in the standard unsigned behavior. > > Maybe, but it would be nice to save this extra afford. In our case, > we do not want the security features of puppet. > > > (I do think its pretty broken that trying once with the wrong cert poisons > > the client - if it is an attack, they can just wipe the client cert again, > > and if it isn't - eg in your case - then it breaks..) > > We know, but we are using build servers in a trusted network.. The > buildservers are often reinstalled and we do not want to manage the > certificates. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
