Hi: On Saturday 10 July 2010 19:11:12 Patrick Mohr wrote: > On Jul 10, 2010, at 7:57 AM, Peter Meier wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 07/10/2010 04:54 PM, Patrick Mohr wrote: > >> On Jul 9, 2010, at 11:58 PM, James Turnbull wrote: > >>> Certificates cleaned with puppetca (or puppet cert) are now also > >>> revoked. > >> > >> Is there some way to clean a cert (using puppet cert) without > >> revoking it? Something like "puppet cert --clean hostname.domain > >> --no-revoke". > > > > afaik, not. But could be a feature request. On the other hand, what's > > the use case? > > This isn't my usecase so I don't care, but since you ask... > > Suppose you have machines that: > *) Don't get any sensitive information through puppet. > *) Are re-imaged often using PXE+preseeding or PXE+kickstart > *) All the computers have names in the form of "lab-client-*.domainname" > > Someone said that in this case you can put "puppetca --clean > lab-client-*.domainname" as a cron job, and put "lab-client-*.domainname" > in autosign.conf. > > Again, I don't do this, so don't do it for me.
I don't see that to be a use case in need of a "no-revoke" option. Once you delete the old machine and re-image it with "PXE+preseeding or PXE+kickstart" it won't get the old certkey so it'll need to be resigned anyway: to all practical purposes it's a new machine, so no benefit on not revoking the old one. Cheers -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
