Hey there, I've got fire in ma belly to get this solved, as I'm impatient to use Puppet's CA to bootstrap Simian, but due to this same sticking point the bootstrapping process is more ungainly then it should be. My point is we customize things about each machine while naming and binding, why can't cert distribution (preceded by generation if necessary) be part of that step in the process? Then it's a (debatably) more secure and simple process, in my opinion.
Pardon I haven't looked in to puppet cert yet(it allows me to generate certs for clients in advance based on supplied info/UUID's/serial numbers, etc?), and I also need to figure out how generic I can make the puppet install/config in the deployed image so only this cert needs to be a custom addition. My proposal is scripting DeployStudio to add a filedrop (or similar) workflow to seed the right cert on the imaged system. I'll report back as soon as I have a proof-of-concept. Allister On Apr 11, 11:31 am, Sean McGrath <[email protected]> wrote: > Firstly my apologies for posting this if it has been answered > elsewhere and I missed it while looking. > > I'm starting to look at using Puppet to manage our fleet of Mac's > running OS X in our lab environment and I'm quite impressed with it > from my testing so far. > > I have tested the functionality of the autosign.conf file with the > hostnames of the trusted clients in it. > > However, if I re-image one of the Mac's as we occasionally do that > destroys the client certificate that it uses for the puppetca request. > Thus the puppet master see's a request with a different certificate > from a node with a hostname that has had its trust relationship > established with a different certificate. > > This is probably a noob question but I haven't been able to figure it > out. How do I get around this in an automated manner. I don't want to > have to revoke certificates each time I re-image a Mac so they can be > re-trusted by the puppet master. Is there something like a root > certificate I could build into the image to establish the trust > relationship easily and securely each time a Mac is re-imaged? > > many thanks > > Sean -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
