Ask Your Question
1

autosign: replace an already existing certificate

asked 2015-09-23 12:59:31 -0500

gin gravatar image

updated 2015-09-23 15:40:53 -0500

Hi,

is it possible to autosign node even if such cert (name) already exists on puppet master? Most likely the already existing cert on puppet master belongs to an already terminated instance and therefore is no longer in use. Quite often we need to recreate AWS instances and eventually the IPs start reoccuring.

I understand that this poses potential security risks.

Or, maybe it is possible to request puppet master to clear the certificate of the requesting node?

Thanks, Gin

edit retag flag offensive close merge delete

Comments

You can use the REST API. This works in Puppet 3.x, but might be slightly different in 4.x. https://ask.puppetlabs.com/question/3347/revoke-and-delete-cert-via-the-rest-api/

ramindk gravatar imageramindk ( 2015-09-23 15:53:23 -0500 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2015-09-23 13:36:10 -0500

syphrix gravatar image

updated 2015-09-23 13:37:06 -0500

I believe you can do this with the Puppet API. I'm looking into it myself since I have a similar need. http://docs.puppetlabs.com/puppet/latest/reference/httpapi/httpcertificate_status.html#delete

Delete

DELETE /puppet-ca/v1/certificate_status/:hostname?environment=:environment
Accept: pson

Cause the certificate authority to discard all SSL information regarding a host (including any certificates, certificate requests, and keys). This does not revoke the certificate if one is present; if you wish to emulate the behavior of puppet cert --clean, you must PUT a desired_state of revoked before deleting the host’s SSL information.

If the deletion was successful, it returns a string listing the deleted classes like

"Deleted for myhost: Puppet::SSL::Certificate, Puppet::SSL::Key"

Otherwise it returns

"Nothing was deleted"

The rest of the API docs can be found at https://docs.puppetlabs.com/guides/re...

edit flag offensive delete link more

Comments

Thanks syphrix and ramindk! I've tried it and it works. Will try to incorporate this into cloud-init script at some point in the future.

gin gravatar imagegin ( 2015-09-28 20:15:27 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-09-23 12:59:31 -0500

Seen: 125 times

Last updated: Sep 23 '15