Ask Your Question

use trusted facts in site.pp

asked 2016-05-24 04:07:51 -0500

buzzdeee gravatar image


I'm with Puppet 3.8.7 on the agent and master, I have puppetdb-2.3.8 as the backend. I wanted to replace my static ENC in Hiera with trusted facts in the Puppet certificate.

I was following docs I found here:

But I think I'm missing something.

On the agent, I have a /etc/puppet/csr_attributes.yaml file with contents:

extension_requests: role::networkmanagement::backupserver networkmanagement backupserver home

On the master I have trusted facts enabled:

# puppet config print trusted_node_data --section master
# puppet config print immutable_node_data --section master

On the master, I see the OIDs encoded in the agents certificate, using puppet cert print ...

         X509v3 extensions:
             Netscape Comment: 
                 Puppet Ruby/OpenSSL Internal Certificate
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment

I have this in my site.pp (outside of any node statement)

$factsrole = $trusted['extensions'][''] notify { "role ${factsrole} trusted ${trusted}": }

And on a puppet agent --test run on the agent I get this printed out: Notice: role trusted {authenticated => remote, certname =>, extensions => {}}

So I'm wondering why these extensions hash is empty, I expected it to have the extensions as contents?

Any cluebats appreciated ;)

cheers, Sebastian

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-05-25 01:36:45 -0500

buzzdeee gravatar image

updated 2016-05-25 02:01:30 -0500

answering myself:

after a debugging session, I came up with the following patch to puppet:

+--- lib/puppet/ssl/certificate.rb.orig Wed May 25 08:13:50 2016
++++ lib/puppet/ssl/certificate.rb      Wed May 25 08:14:35 2016
+@@ -60,6 +60,8 @@ DOC
+         Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid)
+     end
+- { |ext| {'oid' => ext.oid, 'value' => ext.value} }
++    extensions = []
++ { |ext| extensions << {'oid' => ext.oid, 'value' => ext.value} }
++    return extensions
+   end
+ end

I run on OpenBSD, and there ruby 2.2.5 is used, is that kind of incompatibility?

but this only seems to help, when I run 'puppet master' which I did for debugging the problem. Running the puppet master behind ruby unicorn, the extensions are still not propagated.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-05-24 04:07:51 -0500

Seen: 275 times

Last updated: May 25 '16