Not sure about the first question, are you saying your Agent had a
non-autosigned certificate waiting on the Puppet Master, then you
configured auto signing on the Master and expected it to work? I think
the autosigning is done only when an Agent first connects and it won't
sign any pending or backlog of certificates (but don't quote me).
Regarding security, I was originally trying to work with this:
#allow a host to manage it's own certificate
#path/certificate_status/([^/]+)$
path/certificate_status/
auth any
allow $1
Which was supposed to only allow a client to delete it's own certificate
and only it's own. The $1 wasn't working for me though so I fell back to
* (all hosts).
This allows all Agents full control of all operations under
/certificate_status/, which basically means someone malicious could
delete all your signed certificates, preventing all Agents from checking
in. So definitely some implications ;-)
If you get auth.conf any more secure, let me know.
-Luke
On 24/04/12 10:42, C R Ritson wrote:
Many thanks - this is now working better. What was tripping me up was that if
the puppet agent has tried to run, and there is a certificate request on the
master, then the next run of the agent either doesn't try to get the
coresponding certificate signed or else the auto-signing is silently blocked.
Is this a bug, a feature, or just a misunderstanding on my part?
What are the security implications of allowing clients to manipulate
certificates in this way? For now at least I will restrict this to the subset
that are likely to need frequent rebuilds.
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower, EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
-----Original Message-----
From: Luke Bigum [mailto:luke.bi...@lmax.com]
Sent: 24 April 2012 09:42
To: puppet-users@googlegroups.com
Cc: C R Ritson
Subject: Re: [Puppet Users] autosign
Autosigning certificates work, what you're probably running into is that
autosigning does not clear off an old Agent's certificate, so you're
getting certificate mismatch errors. Puppet's RESTful API allows you to
manage certificates. It's been a long time since I tested this but I
have this in my auth.conf:
#allow hosts to manage certificates
#path /certificate_status/([^/]+)$
path /certificate_status/
auth any
allow *
And then I do this in a kickstart file to have each server delete it's
certificate before it generates a new one and contacts the Puppet Master
for the first time:
curl -k -X PUT -H "Content-Type: text/pson" --data
'{"desired_state":"revoked"}'
https://puppet:8140/production/certificate_status/$HOSTNAME
curl -k -X DELETE -H "Accept: pson"
https://puppet:8140/production/certificate_status/$HOSTNAME
Check out this page for more information:
http://docs.puppetlabs.com/guides/rest_api.html
-Luke
On 24/04/12 09:34, C R Ritson wrote:
Does autosign work? I have a scratch workstation that may be rebuilt
frequently and will therefore acquire a new client certificate. I was
hoping that adding its certificate name to /etc/puppet/autosign.conf on the
puppetmaster would allow just this one client to have its new certificates
autosigned. This doesn't appear to work and I can find no logged errors
telling me what is wrong. Can someone suggest where to look, please?
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower, EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
--
Luke Bigum
Information Systems
Ph: +44 (0) 20 3192 2520
luke.bi...@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you
fully understand the risks involved. The information in this email is not
directed at residents of the United States of America or any other
jurisdiction where trading in CFDs and/or FX is restricted or prohibited
by local laws or regulations.
The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied in
any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.
LMAX operates a multilateral trading facility. Authorised and regulated
by the Financial Services Authority (firm registration number 509778) and
is registered in England and Wales (number 06505809).
Our registered address is Yellow Building, 1A Nicholas Road, London, W11
4AN.
--
Luke Bigum
Information Systems
Ph: +44 (0) 20 3192 2520
luke.bi...@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you
fully understand the risks involved. The information in this email is not
directed at residents of the United States of America or any other
jurisdiction where trading in CFDs and/or FX is restricted or prohibited
by local laws or regulations.
The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied in
any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.
LMAX operates a multilateral trading facility. Authorised and regulated
by the Financial Services Authority (firm registration number 509778) and
is registered in England and Wales (number 06505809).
Our registered address is Yellow Building, 1A Nicholas Road, London, W11
4AN.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
