RE: [Puppet Users] autosign

Tue, 24 Apr 2012 06:14:28 -0700 

Having read the scary warnings about autosign, I need to think it through some 
more. However the helpful comments about allowing a client to revoke and delete 
its OWN certificate will probably useful on their own. Luke said that his 
addition to auth.conf was not working. It appears that the interpolation of a 
substring only works when a pattern-match path specification is used. This 
works for me (note the ~ ):-

#allow (some) hosts to manage certificates
path ~ /certificate_status/test([^/]+)$
auth any
allow test$1

Then in the kick-start file I use Luke's suggested:-

  # Revoke and delete any previous puppet certificate
  curl -k -X PUT -H "Content-Type: text/pson" \
    --data '{"desired_state":"revoked"}' \
    https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk

  curl -k -X DELETE -H "Accept: pson" \
    https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk

I found I needed to add the domain name here to match the certificate that is 
generated later.

If auto-sign is to be avoided, one possibility is a hand-crafted script to look 
every so-often for new certificate requests and sign them if and only if they 
match some pre-determined pattern. Doing it this way avoids the lack of pattern 
matching in autosign.conf in which a * can only match a complete component of a 
fully qualified domain name and not some other arbitrary substring.

Chris Ritson (Computing Officer and School Safety Officer)

Room 707, Claremont Tower,        EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science,      PHONE: +44 191 222 8175
Newcastle University,             FAX  : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU.  WEB  : http://www.cs.ncl.ac.uk/

>-----Original Message-----
>From: Luke Bigum [mailto:luke.bi...@lmax.com]
>
>... Regarding security, I was originally trying to work with this:
>
>
>#allow a host to manage it's own certificate
>path /certificate_status/([^/]+)$
...
>allow $1

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to