Hello everybody, we´re using Red Hat Kickstarts for some systems. On every new kickstart we´ve to delete the client certificate first on the master. Ist there a best practise to renew the certificate or delete it remotely on the master? kind regards, Ano -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Sep 12, 2012 at 12:51 PM, Ano nym <tuz1986@gmail.com> wrote:> Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new kickstart > we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it remotely > on the master? >if you use something like Foreman [1] it can do it automatically for you. Ohad [1] http://theforeman.org> > kind regards, > > Ano > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
usually people have to follow company guidelines ... changing the deployment process maybe is not the answer Ano is looking for BTW: we have the same issue ... Am Mittwoch, 12. September 2012 12:11:34 UTC+2 schrieb ohad:> > > if you use something like Foreman [1] it can do it automatically for you. > > Ohad > > [1] http://theforeman.org > >> >> kind regards, >> >> Ano >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> To unsubscribe from this group, send email to >> puppet-users...@googlegroups.com <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/owr6MfAYJFMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matthew Burgess
2012-Sep-12 12:38 UTC
Re: [Puppet Users] RHEL Kickstart and Puppet certificates
On Wed, Sep 12, 2012 at 10:51 AM, Ano nym <tuz1986@gmail.com> wrote:> Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new kickstart > we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it remotely on > the master?If you''re rebuilding a machine, I''d suggest that you also want to remove any reports, facts and anything else that puppet knows about your old host. Given that, I can''t see any other possibility than changing your provisioning process to have a ''puppet node clean'' step *before* re-provisioning your host. Additionally, I''d give serious consideration to trying to automate the regeneration of client certs. If someone else comes in to your network, they could give their device the same hostname as an existing puppet-managed host, then via this envisioned automated process, would kick your existing host off, and connect themselves (this assumes you have auto-signing configured). Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stuart Sears
2012-Sep-12 13:36 UTC
Re: [Puppet Users] RHEL Kickstart and Puppet certificates
On 12/09/12 10:51, Ano nym wrote:> Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new kickstart > we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it remotely > on the master?alternatively, you could backup the certs and keys from the client in kickstart %pre and put them back afterwards. Assuming the client will have the same name and puppet setup after kickstart and you don''t care about old reports, facts etc... Stuart -- Stuart Sears RHCA etc. "It''s today!" said Piglet. "My favourite day," said Pooh. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nielsen, Steve
2012-Sep-12 20:28 UTC
RE: [Puppet Users] RHEL Kickstart and Puppet certificates
If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post. We do this and it provides seamless rebuilds. Thanks, Steve Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNielsen@comscore.com ..................................................................................................... Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement www.comscore.com/MobileMetrix -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Matthew Burgess Sent: Wednesday, September 12, 2012 7:38 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates On Wed, Sep 12, 2012 at 10:51 AM, Ano nym <tuz1986@gmail.com> wrote:> Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new > kickstart we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it > remotely on the master?If you''re rebuilding a machine, I''d suggest that you also want to remove any reports, facts and anything else that puppet knows about your old host. Given that, I can''t see any other possibility than changing your provisioning process to have a ''puppet node clean'' step *before* re-provisioning your host. Additionally, I''d give serious consideration to trying to automate the regeneration of client certs. If someone else comes in to your network, they could give their device the same hostname as an existing puppet-managed host, then via this envisioned automated process, would kick your existing host off, and connect themselves (this assumes you have auto-signing configured). Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nielsen, Steve
2012-Sep-12 20:29 UTC
RE: [Puppet Users] RHEL Kickstart and Puppet certificates
Just realized Stuart provided the same answer in an earlier post. Sorry for the duplicate suggestion :). Steve Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNielsen@comscore.com ..................................................................................................... Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement www.comscore.com/MobileMetrix -----Original Message----- From: Nielsen, Steve Sent: Wednesday, September 12, 2012 3:29 PM To: puppet-users@googlegroups.com Subject: RE: [Puppet Users] RHEL Kickstart and Puppet certificates If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post. We do this and it provides seamless rebuilds. Thanks, Steve -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Matthew Burgess Sent: Wednesday, September 12, 2012 7:38 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates On Wed, Sep 12, 2012 at 10:51 AM, Ano nym <tuz1986@gmail.com> wrote:> Hello everybody, > > we´re using Red Hat Kickstarts for some systems. On every new > kickstart we´ve to delete the client certificate first on the master. > > Ist there a best practise to renew the certificate or delete it > remotely on the master?If you''re rebuilding a machine, I''d suggest that you also want to remove any reports, facts and anything else that puppet knows about your old host. Given that, I can''t see any other possibility than changing your provisioning process to have a ''puppet node clean'' step *before* re-provisioning your host. Additionally, I''d give serious consideration to trying to automate the regeneration of client certs. If someone else comes in to your network, they could give their device the same hostname as an existing puppet-managed host, then via this envisioned automated process, would kick your existing host off, and connect themselves (this assumes you have auto-signing configured). Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
James A. Peltier
2012-Sep-13 05:31 UTC
Re: [Puppet Users] RHEL Kickstart and Puppet certificates
----- Original Message ----- | Hello everybody, | we´re using Red Hat Kickstarts for some systems. On every new | kickstart we´ve to delete the client certificate first on the | master. | Ist there a best practise to renew the certificate or delete it | remotely on the master? | kind regards, | Ano | -- | You received this message because you are subscribed to the Google | Groups "Puppet Users" group. | To view this discussion on the web visit | https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J . | To post to this group, send email to puppet-users@googlegroups.com. | To unsubscribe from this group, send email to | puppet-users+unsubscribe@googlegroups.com. | For more options, visit this group at | http://groups.google.com/group/puppet-users?hl=en. We manually sign the certificates and place them in a secure location that can downloaded as part of the post configuration of the host. We have automation to commission/decommission hosts which generates or removes the certificate server side. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier Success is to be measured not so much by the position that one has reached in life but as by the obstacles they have overcome. - Booker T. Washington -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Michael Stahnke
2012-Sep-13 05:33 UTC
Re: [Puppet Users] RHEL Kickstart and Puppet certificates
I used to just institute policy that hostnames could not be re-used. It had a few benefits beyond puppet, like application people not hard-coding hostnames and using cnames as the maker intended. Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thank you everybody! :-) That are many ways to solve the problem. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/GToEN-CTK_EJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nielsen, Steve
2012-Sep-13 13:58 UTC
RE: [Puppet Users] RHEL Kickstart and Puppet certificates
Mike - Just curious, what do you mean by "using cnames as the maker intended" ? Are you suggesting a CNAME per hostname mapping? Thanks, Steve Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNielsen@comscore.com ..................................................................................................... Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement www.comscore.com/MobileMetrix -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael Stahnke Sent: Thursday, September 13, 2012 12:33 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates I used to just institute policy that hostnames could not be re-used. It had a few benefits beyond puppet, like application people not hard-coding hostnames and using cnames as the maker intended. Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
David Schmitt
2012-Sep-14 07:08 UTC
Re: [Puppet Users] RHEL Kickstart and Puppet certificates
I interpreted that as using hostnames as hardware names and cnames as service names, pointing to the h/w the service is running on. D. On 13.09.2012 15:58, Nielsen, Steve wrote:> Mike - > > Just curious, what do you mean by "using cnames as the maker intended" ? Are you suggesting a CNAME per hostname mapping? > > Thanks, > Steve > > > > Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR) > o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNielsen@comscore.com > ..................................................................................................... > > Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement > www.comscore.com/MobileMetrix > -----Original Message----- > From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael Stahnke > Sent: Thursday, September 13, 2012 12:33 AM > To: puppet-users@googlegroups.com > Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates > > I used to just institute policy that hostnames could not be re-used. > It had a few benefits beyond puppet, like application people not hard-coding hostnames and using cnames as the maker intended. > > Mike > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.