Ask Your Question

Kickstart Puppet and autosign certificates?

asked 2014-01-31 16:28:24 -0600

Forrest gravatar image

I'm looking into bootstrapping PE during kickstart. One issue I have is whether to automatically sign certificates. It is otherwise one more manual step that becomes annoying in quantity.

I understand there may be security issues; though our environment is relatively small.

The goal being to kickstart a host, having it up and running, into puppet and configured with a minimal of human input.

edit retag flag offensive close merge delete



So what's your question?

Ancillas gravatar imageAncillas ( 2014-02-01 01:41:11 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2015-04-17 07:31:57 -0600

JohnsonEarls gravatar image

Look into Policy-Based Autosigning :

  1. Determine a method by which your puppet master can recognize hosts that should be signed, based only on the name provided in the certificate and the contents of the certificate itself.
  2. Once you have such a method, write a script that accepts the certificate name (usually but not necessarily the FQDN) as its only argument and the PEM-encoded contents of the certificate from stdin, and exits with 0 exit code if the certificate should be signed or 1 (or anything that is not 0) if the certificate should not be signed.
  3. Make that script owned by and executable by the puppet user, then set the autosign configuration option to the full path to the script.

Step 1 is the hard part. You probably need information from your deployment system in order to tell if this certname was recently installed.

Alternately, you can use a whitelist with Basic Autosigning and have your procedure be to manually enter the FQDN of the nodes being installed into the whitelist file before the install, and remove them after the install.

edit flag offensive delete link more

answered 2014-02-03 11:49:35 -0600

Ancillas gravatar image

I think a much better approach is to use the Puppet API to have nodes sign themselves. You have to seed your nodes w/ a pre-signed cert for the purpose of sending API requests, and use a simple boot script.

Puppet starts, connects to the master, and then waitforcert() should be called to wait for a CSR to be generated. Once that happens, signcert() should be called to sign the cert. Finally, I prefer to delete to seeded cert files from the server. Here's a snippet


# Loop until the puppet master has a CSR for this server ...
edit flag offensive delete link more

answered 2014-02-03 07:12:41 -0600

Waldemar gravatar image

updated 2014-02-03 16:00:29 -0600

We ran into a similar problem. We are using a tiny cron script that signs a host certificate within a certain time window automatically. This script checks for pending requests using "puppert cert --list". If this is the case another successfully test in $signpath for a filename equal FQDN is sufficient for an automatically sign (with puppert cert).

This script is executed on a puppetmaster by crond. Your installation process (preparation, not bootstrap) has to create a file $signpath/$FQDN (uppercase) . This file is removed after the host certificate has been signed successfully or when $maxage has been reached.

Please ... (more)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-01-31 16:28:24 -0600

Seen: 682 times

Last updated: Apr 17 '15