Hello, Thanks a lot for your input. Steve's solution is not possible in my environment because I do not have the previous client cert on reinstallation.
Nan's solution seems to work fine in my context: On the server: /etc/puppet/autosign.conf: *.mydomain On the client:/etc/puppet/puppet.conf [agent] certname="mydesktop-201208160928.mydomain" # rm -rf /var/lib/puppet/ssl # puppet agent --test This is generated at install time of course. The cert is automatically signed. It works fine if you just change the certname again and relaunch the agent. The nice side-effect is that I can have a cleanup script on the server that does a puppet cert clean for all mydesktop-*.mydomain except the most recent one. Thanks, Jerome On Wednesday, August 15, 2012 2:53:59 PM UTC+2, jerome wrote: > > Hello, > > I'm new to Puppet and evaluating it against Cfengine and Chef for the > management of multiple thousands of Ubuntu desktops. > The desktops can be reinstalled at any time by technical site operators > and they may or may not change the computer name. > This happens fairly often and if the name stays the same, I get: > > err: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key > > because the desktop's SSL certificate changes when the desktop is rebuilt. > To solve this problem I need to go on the server and do a: > > puppet cert clean <fqdn of client> > > But this is not practical in an environment where many computers can be > reinstalled at any time. > Is there a solution to this ? Can the agent tell the master to clean the > key for its hostname ? > > I do not have this issue with cfengine, because the identifier is simply > the MD5 of the certificate, not the hostname. I just need to cleanup the > list of unused certificates on the server side every once in a while. > > Thanks, > > Jerome > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/d_BB73QJ0J0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
