If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post.
We do this and it provides seamless rebuilds. Thanks, Steve Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:[email protected] ..................................................................................................... Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement www.comscore.com/MobileMetrix -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Matthew Burgess Sent: Wednesday, September 12, 2012 7:38 AM To: [email protected] Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates On Wed, Sep 12, 2012 at 10:51 AM, Ano nym <[email protected]> wrote: > Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new > kickstart we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it > remotely on the master? If you're rebuilding a machine, I'd suggest that you also want to remove any reports, facts and anything else that puppet knows about your old host. Given that, I can't see any other possibility than changing your provisioning process to have a 'puppet node clean' step *before* re-provisioning your host. Additionally, I'd give serious consideration to trying to automate the regeneration of client certs. If someone else comes in to your network, they could give their device the same hostname as an existing puppet-managed host, then via this envisioned automated process, would kick your existing host off, and connect themselves (this assumes you have auto-signing configured). Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
