Sometimes we have to kickstart a machine multiple times before everything is alright. It becomes quite of a hassle to manually remove the SSL certificate on the Puppetmaster first, especially since not everybody has SSH access to the Puppetmaster.
How can I prevent problems with certificates? We use autosign and servers are kickstarted fine, except when we have to kickstart the same server again. That would require us to manually remove the certificate on the Puppetmaster first.
Use cobbler to kickstart you machines. It is just a thin layer on top of the usual DHCP+TFTP+PXE+kickstart workflow, with extra functionalities, being one of them the ability to bootstrap puppet on kickstarted machines.
Specifically, the configuration regarding puppet is this:
# if enabled, this setting ensures that puppet is installed during # machine provision, a client certificate is generated and a # certificate signing request is made with the puppet master server puppet_auto_setup: 0 # when puppet starts on a system after installation it needs to have # its certificate signed by the puppet master server. Enabling the # following feature will ensure that the puppet server signs the # certificate after installation if the puppet master server is # running on the same machine as cobbler. This requires # puppet_auto_setup above to be enabled sign_puppet_certs_automatically: 0 # location of the puppet executable, used for revoking certificates puppetca_path: "/usr/bin/puppet" # when a puppet managed machine is reinstalled it is necessary to # remove the puppet certificate from the puppet master server before a # new certificate is signed (see above). Enabling the following # feature will ensure that the certificate for the machine to be # installed is removed from the puppet master server if the puppet # master server is running on the same machine as cobbler. This # requires puppet_auto_setup above to be enabled remove_old_puppet_certs_automatically: 0 # choose a --server argument when running puppetd/puppet agent during kickstart #puppet_server: 'puppet' # let cobbler know that you're using a newer version of puppet # choose version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd' #puppet_version: 2 # choose whether to enable puppet parameterized classes or not. # puppet versions prior to 2.6.5 do not support parameters #puppet_parameterized_classes: 1
You are interested in the remove_old_puppet_certs_automatically parameter.
