: __handel__ && puppetd -t --environment=production
- : ::client:: && apt-get update &&
- apt-get install --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses &&
+ : ::client:: && me=$(hostname -f) && [ "$me" != "${me%debian.org}" ] && apt-get update &&
+ apt-get install --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release &&
/etc/init.d/puppet stop &&
- puppetd -w 5 -t
+ (puppetd -t || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: && echo &&
+ sha256sum $me.pem &&
+ echo && echo && cd /
This will not overwrite anything yet, since handel has not signed the
client cert. Now is the time to abort if you are getting cold feet.
Compare incoming csr request:
-on handel:
-
- : __handel__ && echo -n 'Client name: ' && read client &&
- sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
-on new client:
-
- : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem
-
-If you're satisfied, sign the request on handel with:
-
- : __handel__ && puppetca --sign $client.debian.org
-
-bootstrap client knowledge of puppet ca:
-on handel:
-
- : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+on handel, paste the sha256output::
+
+ : __handel__ && echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppetca --sign $(basename "$filename" .pem) &&
+ echo && echo && echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
- echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
- cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
- echo 'EOF'
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ cd /
and execute this on the client.
Then run (this will change the configs in /etc):
- : ::client:: && puppetd -w 5 --debug -t
+ : ::client:: && puppetd -t
This run will start puppet after reconfiguring it, so if you are
unhappy with what just happened, you'll need to stop it again to do