On Fri, Jan 28, 2011 at 06:47, Jed <jedbl...@gmail.com> wrote:
> i'm new to puppet, sorry if the question comes off a little green-
> thumb
We all start off that way. :)
> I have a puppet server and a puppet client (both running latest
> versions)
>
> we have wildcard certs for all our internal domains, we use these
> certs for SSL ldap posix auth, apache, jetty..etc.etc.
>
> ie.
> *.priv.tech.com
>
> instead of puppet generating the certs and doing the signing of the
> client request, would it be possible to have puppet use these wildcard
> ssl certs instead?
Yes. On the other hand, you will very quickly run into a problem:
The puppet master uses the name in the SSL certificate that the client
supplies as the "node" identifier. So, if you use that wildcard for
your nodes you will not be able to uniquely identify them. You would
have to have the same manifest on all of them, or reinvent all the
distinctions that puppet already makes.
> So when i stand up an instance (centos on vmware) , it will
> automatically have the certs built into the template and that instance
> can talk to the puppet master without having to manually sign every
> puppet client. I've read that i can turn auto-sign=on , but that is a
> gapping security hole.
Well, it allows anyone to become a "known" node is your
infrastructure. They can then get whatever configuration a default
node gets; historically, this has been a fatal error that the node is
unknown in my configurations:
node default {
fail("node ${fqdn} is not a known host!")
}
The degree of security hole is pretty strictly limited, because
holding an SSL certificate gives you a token that lets you identify
yourself to the puppet master, not a token that allows you to do
anything more exciting.
> I basically want to remove the signing step and have all instances
> automatically talk/trust the puppet master using our wildcard ssl
> certs.
>
> is this possible?
Probably not usefully to you, no. You might better aim to integrate a
stage into your host build process that will generate the certificate
on the server and allow it to download.
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
