Sorry to resurrect an old(er) thread, but: http://projects.puppetlabs.com/issues/3360#note-33 leads me to believe none of those workarounds are necessary, just allow_duplicate_cert
However, https://gist.github.com/0c76fb5b28abfcb2f9d6 That's a proof of concept that I started testing on the DeployStudio side, and will probably fire up some python (once conference extravaganza passes) to iterate over a csv of serial numbers and therefore generate a bunch of certs at once. Allister On Apr 11, 12:32 pm, Gary Larizza <g...@puppetlabs.com> wrote: > Hey Sean, > > First - congrats on wrangling your Macs with Puppet! Next, I understand and > have shared your pain regarding timely imaging of workstations and Puppet > cert-wrangling. Generally, I've seen folks do one of a couple of things: > > 1. Autosign > 2. Utilize a CGI script to sign/revoke certs on the master (which can > largely be replaced through the use of the `puppet cert` face) > 3. Use the same private key everywhere and change the individual > node_name > > Numbers 1 and 2 are largely process around signing individual certs for > every node. You COULD even backup the $ssldir on your clients, image the > machine, install puppet, restore the $ssldir, and then run Puppet again and > Puppet will work fine for your clients. > > Number 3 is a bit different. With #3, you would have the SAME private cert > for EVERY node in your infrastructure. Because of this, the certname must > be THE SAME for every node. When you do this, however, Puppet treats every > node as if it were the SAME node - so you need a way to de-couple the name > of the node as Puppet knows it with the name of the node as the Certificate > knows it. The solution is the 'node_name_fact' and 'node_name_value' > configuration item in puppet.conf > -->http://docs.puppetlabs.com/references/stable/configuration.html#noden... > You would essentially ship the private cert around to EVERY node, set > the > node_name_{fact,value} in puppet.conf, and then Puppet would treat each > machine as a separate node (even though the certificate is the same > everywhere). Obviously there are security implications for this, but some > people prefer it to Autosigning. > > Hopefully, this should help you on your way. > > On Wed, Apr 11, 2012 at 8:31 AM, Sean McGrath <seanc.mcgr...@gmail.com>wrote: > > > > > > > > > > > Firstly my apologies for posting this if it has been answered > > elsewhere and I missed it while looking. > > > I'm starting to look at using Puppet to manage our fleet of Mac's > > running OS X in our lab environment and I'm quite impressed with it > > from my testing so far. > > > I have tested the functionality of the autosign.conf file with the > > hostnames of the trusted clients in it. > > > However, if I re-image one of the Mac's as we occasionally do that > > destroys the client certificate that it uses for the puppetca request. > > Thus the puppet master see's a request with a different certificate > > from a node with a hostname that has had its trust relationship > > established with a different certificate. > > > This is probably a noob question but I haven't been able to figure it > > out. How do I get around this in an automated manner. I don't want to > > have to revoke certificates each time I re-image a Mac so they can be > > re-trusted by the puppet master. Is there something like a root > > certificate I could build into the image to establish the trust > > relationship easily and securely each time a Mac is re-imaged? > > > many thanks > > > Sean > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > > Gary Larizza > Professional Services Engineer > Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
