Ask Your Question
0

policy-based autosigning not working [closed]

asked 2015-02-25 14:52:19 -0600

mckownam gravatar image

updated 2015-03-04 11:52:37 -0600

So I have my puppetmaster set up to (in theory) use policy-based autosigning in order to only allow a specific machine name format through (say loc-22.domain.example.com , in which "loc-" and ".domain.example.com" are constants, but the number is a variable with exactly 2 digits).

In my puppet.conf file, I set autosigning equal to the executable "/etc/puppet/certsign.sh" (within the [master] section). The certsign.sh file is located in /etc/puppet/ and is executable for all users.

Now, my issue is that puppet does not seem to even touch certsign.sh, which is apparent by the complete lack of log output from the file (one of the first things that I have it do is generate output to a log file). I can create a cron job that reads and parses the result of "puppet cert --list" and sign everything successfully, but when a new agent first tries to connect with the master, I can't get even a "hello" to print into the log file. Puppet just is not even touching the file. I have restarted the puppetserver service dozens of times but while autosign = true/false gets immediate results, this script is completely ignored.

Below is an example of the format that the file uses (with most of it removed; this is the simplest version of the file I have tried and it still failed):

#!/bin/sh

main_prg() {

init

}

init() {

log="/var/log/puppet-master-script/certsLogTest.log"

certname=$1

echo "certname = ${certname}" >> ${log}

echo "Hello" >> ${log}

exit 1

}

main_prg

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by mckownam
close date 2015-03-17 10:07:32.228815

2 Answers

Sort by ยป oldest newest most voted
0

answered 2015-03-03 05:04:00 -0600

dumb questions first - you are running puppet >= 3.4? without autosign you do get a cert request from the client - have you cleaned previous requests up that havent been signed?

what does "puppet config print --section master autosign" print?

Cheers Stuart

edit flag offensive delete link more

Comments

I am running puppet 3.7 on both and yes, the agent always sends a cert. I use "puppet cert clean [agentName]" to clean the cert on the master and "rm -rf /var/lib/puppet/ssl" to clean the cert on the agent. "puppet config print --section master autosign" results in "/etc/puppet/certsign.sh".

mckownam gravatar imagemckownam ( 2015-03-04 07:56:16 -0600 )edit
0

answered 2015-03-17 09:38:27 -0600

mckownam gravatar image

updated 2015-03-17 10:08:40 -0600

The way to fix this was to write a script that ran "puppet cert list", parsed the agent names out of that, signed the ones that met the specified requirements using "puppet cert sign $certname", and, of course, logged the results. Puppet would then call this script every time a new cert arrived at the master.

This is entirely contrary to the documentation on autosigning by proxy (all examples point out that the script is just telling puppet whether or not the cert should be signed; the example scripts are not signing the certs), but this is the only way that I was able to get it to work.

edit flag offensive delete link more

Question Tools

Stats

Asked: 2015-02-25 14:52:19 -0600

Seen: 626 times

Last updated: Mar 17 '15