How to solve chicken or the egg issue with client TLS certificates on a physical host?

security ssl-certificate pxe-boot

We use the foreman's bootdisk plugin for this purpose. I do not imply it's the correct or unique way, it's what we use successfully.

Everytime a host needs to be (re)provisioned, a short lived token gets generated and it's kept on the database coupled to the host. This token goes into an iso file with the ipxe binary and a script that downloads the kicstart file from the provisioning host only if it offers the right token as identifier. Once the host is provisioned, the token gets deleted. After a specific (tunable, out of the top of my head defaults to 60 minutes) the token is invalidated.

This works with both bios as uefi firmware, and no need for pxe, just http(s) so you could really have internet deployments with few modifications (handy for deploying hardware on remote locations).

Related

Can't Open Ports Google Cloud VM Instance
Nginx redirect based on query string
Not prompted to input the root password when installing mariadb-server on Ubuntu 16.04 LTS
A grey square (overlay) in the middle of the screen, Ubuntu 16.04 Dell xps 13 9360 [closed]
How do I install asciiquarium?
Ubuntu 18.04 on login loop, even with correct password
How to find out location / path of current active desktop background image (Ubuntu 18.04, GNOME)?
What does the permission string lrwxrwxrwx mean?
Why the service --status-all is not listing this working service?
New icon for Google Drive locked on the dock after upgrade to Ubuntu 19.10
sudo modprobe v4l2loopback modprobe: ERROR: could not insert 'v4l2loopback': Bad address
Is there a way to check if a program is available in the repository by commandline?