On Thu, Aug 16, 2012 at 10:42 AM, jerome <jerome.steunenb...@gmail.com>wrote:
> Hello, > > Thanks a lot for your input. Steve's solution is not possible in my > environment because I do not have the previous client cert on > reinstallation. > > Nan's solution seems to work fine in my context: > > On the server: /etc/puppet/autosign.conf: > *.mydomain > > On the client:/etc/puppet/puppet.conf > [agent] > certname="mydesktop-201208160928.mydomain" > > # rm -rf /var/lib/puppet/ssl > # puppet agent --test > > This is generated at install time of course. > The cert is automatically signed. > It works fine if you just change the certname again and relaunch the agent. > > The nice side-effect is that I can have a cleanup script on the server > that does a puppet cert clean for all mydesktop-*.mydomain except the most > recent one. > If you are interested, you could also use foreman, which would deploy your systems and automatically clean up the certs for you. Ohad > > Thanks, > > Jerome > > > On Wednesday, August 15, 2012 2:53:59 PM UTC+2, jerome wrote: >> >> Hello, >> >> I'm new to Puppet and evaluating it against Cfengine and Chef for the >> management of multiple thousands of Ubuntu desktops. >> The desktops can be reinstalled at any time by technical site operators >> and they may or may not change the computer name. >> This happens fairly often and if the name stays the same, I get: >> >> err: Could not request certificate: The certificate retrieved from the >> master does not match the agent's private key >> >> because the desktop's SSL certificate changes when the desktop is rebuilt. >> To solve this problem I need to go on the server and do a: >> >> puppet cert clean <fqdn of client> >> >> But this is not practical in an environment where many computers can be >> reinstalled at any time. >> Is there a solution to this ? Can the agent tell the master to clean the >> key for its hostname ? >> >> I do not have this issue with cfengine, because the identifier is simply >> the MD5 of the certificate, not the hostname. I just need to cleanup the >> list of unused certificates on the server side every once in a while. >> >> Thanks, >> >> Jerome >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/d_BB73QJ0J0J. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
