Is there a way I can set a puppet master to auto accept all certs from clients (so I don't have to puppetca on the master each time)?
Asked
Active
Viewed 4,065 times
3 Answers
5
Create a file /etc/puppet/autosign.conf on the master, containing the domain names of the hosts for which you want certificates signed automatically.
Example:
www.example.com
*.example.org
*
Michael Hampton
- 252,907
3
echo "*" > /etc/puppet/autosign.conf
Or you can be a little more secure (but not really, since a client sets its own cert name; someone wanting illegitimate access to your puppet master would just need to know what name to fake) by limiting it to a specific domain:
echo "*.stackexchange.com" > /etc/puppet/autosign.conf
Shane Madden
- 116,404
- 13
- 187
- 256
2
I'm personally not a fan of automatically signing these certificates for the reasons already outlined.
I put together a small script kicked off during my kickstarts which runs the following:
echo Configuring local Puppet instance...
/usr/sbin/puppetd --waitforcert 900
sleep 10
echo We will use $HOSTNAME for all future requests...
echo Running server side script..
chvt 1
ssh -q -t $USERNAME@puppetmaster auto_client.sh $HOSTNAME
chvt 6
auto_client.sh
#! /bin/bash
NEWHOST=$1
sudo puppetca --sign $NEWHOST
if ! ( cat /etc/puppet/manifests/* | grep "$NEWHOST" )
then
NHFILE=/etc/puppet/manifests/temp.pp
echo node \'$NEWHOST\' >> $NHFILE
echo { >> $NHFILE
echo include linux_base >> $NHFILE
echo } >> newhost.cfg >> $NHFILE
fi
I seriously thought about doing something like using a SSL certificate stored on a USB stick for the SSH connection but this proved more convenient.
Tim Brigham
- 15,655