On Apr 14, 2011, at 11:57 AM, Jake - USPS wrote: > Thanks Matt. Just for clarification on why I'm trying to do this. We > often rebuild systems in our environment. Things are > 'decommissioned', hostname 'released' and new system built with > previously used hostname for new purposes. This means currently (as I > understand it) part of our decom process would need to include > revoking a cert for a system. I'm trying to avoid this step as less > work is always better, we have a lot of systems we manage so this > isn't something that would be done infrequently and I'm also afraid of > admins as part of a decom process would by accident revoke a cert for > the wrong system. > > So I was hoping with this that I would be able to decom a system, > rebuild it and with the allow_duplicate_certs just automatically use > a new cert for that hostname. By removing the ssl dir on an agent > system I'm assuming this would be a valid test to simulate a decom/ > rebuild/reregister puppet without all that hassle. > > Thanks for opening the additional bugs on this. One thing I'm > wondering is if I'm missing something that maybe people already do to > deal with my type of situation.
This is a problem for us too. To fix it, we don't use the normal puppet key signing process. Instead, keys are created on the puppetmaster and sent to the clients when the clients finish installing. Workstation keys for computers that aren't sensitive are sent automatically. The keys for sensitive computers (servers) are copied by hand my a system admin. The second happens so little, that it's fine for us. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
