search for: wiredgeek

Is there a way to force the puppetmaster to resign certificates for existing certificates when a new CSR for the same hostname arrives? When we reinstall freshly formatted clients with puppet (with the same hostname) the puppet client complains: err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it

I''m working on a system for auto-resigning certificates for our clients and Iv''e basically got it working .. but I notice that Puppet uses an inventory file and a serial # file that seem to be differently formatted than the openssl toolkit uses? The serial number file that puppet generates has a 4 digit number starting with 0000... but openssl tracks its serial numbers in a hex

I''m looking for a bit of best-practices here. Our puppet environment up-until-today has been owned and operated by IT Operations only. We''ve had a single ''production'' environment and our code has been managed in a local GitHub::FI install. We have ~14,000 lines of code in our PP files. We''re trying to make two changes to our environment... that may need