On Tue, 2007-02-20 at 13:59 -0700, Jeffrey Law wrote: > That no longer works, particularly when instantiating a disk-full > client. What appears to work for me is to create an RPM which > installs the puppet master's certificate and include that RPM in > the install set for all clients. > > The obvious downsides is the server is going to have to have an RPM repo > so that clients can pick up the puppet master certificate. Relatively > minor. > > What's more interesting are the security aspects.
I assume you are going the RPM route to make sure the server cert isn't tampered with in transit; though it seems that both when the cert is installed with an RPM and when the client downloads it itself on the initial run, you have the exact same security issues: ultimately, somebody can intercept that download and substitute their own server cert. David _______________________________________________ Stateless-list mailing list [email protected] http://www.redhat.com/mailman/listinfo/stateless-list
