On Fri, Apr 27, 2012 at 2:22 PM, Allister Banks <a...@aru-b.com> wrote:
> Sorry to resurrect an old(er) thread, but: > http://projects.puppetlabs.com/issues/3360#note-33 > leads me to believe none of those workarounds are necessary, just > allow_duplicate_cert > Have you tried this out? I've personally never used the allow_duplicate_cert feature, but if it's not working properly then reporting that in the bug is totally the best way to go? > > However, > https://gist.github.com/0c76fb5b28abfcb2f9d6 > That's a proof of concept that I started testing on the DeployStudio > side, and will probably fire up some python (once conference > extravaganza passes) to iterate over a csv of serial numbers and > therefore generate a bunch of certs at once. > > Commented on the gist - that should work as long as you generate the certs ON the puppet master and use the certname of the node you're wanting to provision. > Allister > > > On Apr 11, 12:32 pm, Gary Larizza <g...@puppetlabs.com> wrote: > > Hey Sean, > > > > First - congrats on wrangling your Macs with Puppet! Next, I understand > and > > have shared your pain regarding timely imaging of workstations and Puppet > > cert-wrangling. Generally, I've seen folks do one of a couple of things: > > > > 1. Autosign > > 2. Utilize a CGI script to sign/revoke certs on the master (which can > > largely be replaced through the use of the `puppet cert` face) > > 3. Use the same private key everywhere and change the individual > > node_name > > > > Numbers 1 and 2 are largely process around signing individual certs for > > every node. You COULD even backup the $ssldir on your clients, image the > > machine, install puppet, restore the $ssldir, and then run Puppet again > and > > Puppet will work fine for your clients. > > > > Number 3 is a bit different. With #3, you would have the SAME private > cert > > for EVERY node in your infrastructure. Because of this, the certname > must > > be THE SAME for every node. When you do this, however, Puppet treats > every > > node as if it were the SAME node - so you need a way to de-couple the > name > > of the node as Puppet knows it with the name of the node as the > Certificate > > knows it. The solution is the 'node_name_fact' and 'node_name_value' > > configuration item in puppet.conf --> > http://docs.puppetlabs.com/references/stable/configuration.html#noden... > > You would essentially ship the private cert around to EVERY node, set > > the > > node_name_{fact,value} in puppet.conf, and then Puppet would treat each > > machine as a separate node (even though the certificate is the same > > everywhere). Obviously there are security implications for this, but > some > > people prefer it to Autosigning. > > > > Hopefully, this should help you on your way. > > > > On Wed, Apr 11, 2012 at 8:31 AM, Sean McGrath <seanc.mcgr...@gmail.com > >wrote: > > > > > > > > > > > > > > > > > > > > > Firstly my apologies for posting this if it has been answered > > > elsewhere and I missed it while looking. > > > > > I'm starting to look at using Puppet to manage our fleet of Mac's > > > running OS X in our lab environment and I'm quite impressed with it > > > from my testing so far. > > > > > I have tested the functionality of the autosign.conf file with the > > > hostnames of the trusted clients in it. > > > > > However, if I re-image one of the Mac's as we occasionally do that > > > destroys the client certificate that it uses for the puppetca request. > > > Thus the puppet master see's a request with a different certificate > > > from a node with a hostname that has had its trust relationship > > > established with a different certificate. > > > > > This is probably a noob question but I haven't been able to figure it > > > out. How do I get around this in an automated manner. I don't want to > > > have to revoke certificates each time I re-image a Mac so they can be > > > re-trusted by the puppet master. Is there something like a root > > > certificate I could build into the image to establish the trust > > > relationship easily and securely each time a Mac is re-imaged? > > > > > many thanks > > > > > Sean > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscr...@googlegroups.com. > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > > > Gary Larizza > > Professional Services Engineer > > Puppet Labs > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Gary Larizza Professional Services Engineer Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
