So After re-reading the docs
http://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#policy-executable-api
I've made the following modification which works.
#!/bin/bash
HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in
"/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" |
awk -F ":" '{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I'd still be interested to see what others are doing with policy based auto
signing though.
On Monday, February 17, 2014 3:20:50 PM UTC+1, George Brown wrote:
>
> Hi,
>
> I'm trying to create an autosign policy which checks for a custom
> attribute in the CSR but I'm having some issue with the master not signing
> the request.
>
> My client has the following in /etc/puppet/csr_attributes.yaml
>
> custom_attributes:
> 1.2.840.113549.1.9.7: foo
>
>
> My policy is a simple bash script, in this case checking for foo
>
> #!/bin/bash
>
> CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":"
> '{print$2}')
>
> if [[ "$CUSTOM_ATTR" == "foo" ]]
> then
> exit 0
> else
> exit 1
> fi
>
> I had tested with the following, I'm guessing the issue is with my script
> not reading in the CSR from puppet? If anyone has any examples of policies
> they have created I would love to see them (this seems to be lacking in the
> puppet documentation).
>
> sudo openssl req -noout -text -in
> /var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo
> $?
> 0
>
> Many thanks,
> George
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/fdff0a68-c613-47ac-9910-002b15b34598%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
