Auto Signing Certificates for Puppet agent

Posted: November 12, 2018 in Linux, puppet

Puppet agent and server comunicate via SSL connection.By default, Puppet agent create Certificate Signing Request (CSR)  after we run puppet agent -t on client, and we need to manually sign this request on Puppet server puppet cert sign

We can automate this process in 2 ways:

  • whitelisting domain name
  • by script which reads log file and approves CSR automatically

Whitelisting Domain Name

On Puppet server run puppet config print --section master autosign

Create file /etc/puppetlabs/puppet/autosign.conf and whitelist domain name

Content of /etc/puppetlabs/puppet/autosign.conf:

*.mshome.net

Restart Puppet master service:systemctl restart puppetserver

If we now run puppet agent -t on Puppet node, CSR will be signed automatically.

Automating CSR using script

On Puppet master run puppet config set --section master autosign /etc/puppetlabs/puppet/autosign.sh

Content of /etc/puppetlabs/pupppet/autosign.sh

#!/bin/bash
#
# a test script for policy based autosigning in puppet
#
# this script logs the certname and the CN from the CSR
# via syslog to local3.info. on centos7 this lands in
# /var/log/messages.
#
# $1 gets passed by the puppet master and is the certname of the agent
# the CSR is passed on STDIN

set -eof pipefail

export PATH=/bin:/sbin

readonly CERTNAME=$1
readonly CSR=$(cat -)
readonly CN=$(echo "${CSR}" | openssl req -noout -text | grep CN)

logger -p local3.info "received csr for host ${CERTNAME}"
logger -p local3.info "Common Name in CSR: ${CN}"

exit 0

Restart Puppet master service again and run puppet agent -t again

1.PNG

Advertisements
Comments
  1. An impressive share! I’ve just forwarded this onto a friend who has been doing a little
    research on this. And he in fact bought me lunch due to the fact that I found it for
    him… lol. So let me reword this…. Thank YOU for the meal!!
    But yeah, thanx for spending the time to talk about this matter
    here on your website.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s