Hi,
to re-iterate the point: Doing this is a Very Bad Idea in terms of security.
If you don't care at all, the script would look like the following. PHP
pseudocode example, choose your poison at will, of course.
<?php
system('sudo puppet cert clean ' . $_GET['node']);
You can invoke it e.g. using
wget -O/dev/null https://your.master.fqdn/blast_cert?node=`puppet agent
--configprint certname`
to remove the certificate of the machine that is calling.
But again - please consider creating a secure channel from whatever
infrastructural component that is responsible for the re-provisioning,
so that the old certificates can be removed in a safe fashion.
HTH,
Felix
On 12/09/2014 11:54 PM, heeyoung kim wrote:
> Hello
>
> I am so curious how to resign certificate on puppet master after agents
> rebuild OS.
>
> I found a good article as follows.
> https://groups.google.com/forum/#!topic/puppet-users/vTLcGA87buo
> <https://groups.google.com/forum/#%21topic/puppet-users/vTLcGA87buo>
>
> However, the below site ,posterous.com, closed.
>
> /"OK, just had to post this! I found a solution to my issues that may
> help others.
>
> http://glarizza.posterous.com/managing-puppet-ssl-certificates
> <http://glarizza.posterous.com/managing-puppet-ssl-certificates>
>
> Basically a CGI script located on you CA Server. You can pass the
> hostname/certname that you want to clean via http to the script and
> have it clean it off the CA Server. More details in the link above.
> This is working great for me and I'll be using it until similar
> functionality is included by default in puppet."/
> /
> /
>
> Does anyone know how to make the script?
> I am new to linux, puppet and script, so I appreciate you with any
> solution, idea and advice!!
>
> Thanks,
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/548AE443.7040908%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.
