Hey Sean, First - congrats on wrangling your Macs with Puppet! Next, I understand and have shared your pain regarding timely imaging of workstations and Puppet cert-wrangling. Generally, I've seen folks do one of a couple of things:
1. Autosign 2. Utilize a CGI script to sign/revoke certs on the master (which can largely be replaced through the use of the `puppet cert` face) 3. Use the same private key everywhere and change the individual node_name Numbers 1 and 2 are largely process around signing individual certs for every node. You COULD even backup the $ssldir on your clients, image the machine, install puppet, restore the $ssldir, and then run Puppet again and Puppet will work fine for your clients. Number 3 is a bit different. With #3, you would have the SAME private cert for EVERY node in your infrastructure. Because of this, the certname must be THE SAME for every node. When you do this, however, Puppet treats every node as if it were the SAME node - so you need a way to de-couple the name of the node as Puppet knows it with the name of the node as the Certificate knows it. The solution is the 'node_name_fact' and 'node_name_value' configuration item in puppet.conf --> http://docs.puppetlabs.com/references/stable/configuration.html#nodenamefact You would essentially ship the private cert around to EVERY node, set the node_name_{fact,value} in puppet.conf, and then Puppet would treat each machine as a separate node (even though the certificate is the same everywhere). Obviously there are security implications for this, but some people prefer it to Autosigning. Hopefully, this should help you on your way. On Wed, Apr 11, 2012 at 8:31 AM, Sean McGrath <seanc.mcgr...@gmail.com>wrote: > Firstly my apologies for posting this if it has been answered > elsewhere and I missed it while looking. > > I'm starting to look at using Puppet to manage our fleet of Mac's > running OS X in our lab environment and I'm quite impressed with it > from my testing so far. > > I have tested the functionality of the autosign.conf file with the > hostnames of the trusted clients in it. > > However, if I re-image one of the Mac's as we occasionally do that > destroys the client certificate that it uses for the puppetca request. > Thus the puppet master see's a request with a different certificate > from a node with a hostname that has had its trust relationship > established with a different certificate. > > This is probably a noob question but I haven't been able to figure it > out. How do I get around this in an automated manner. I don't want to > have to revoke certificates each time I re-image a Mac so they can be > re-trusted by the puppet master. Is there something like a root > certificate I could build into the image to establish the trust > relationship easily and securely each time a Mac is re-imaged? > > many thanks > > Sean > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Gary Larizza Professional Services Engineer Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
