Autoaccept all Certs on Puppet Master

Question

Is there a way I can set a puppet master to auto accept all certs from clients (so I don't have to puppetca on the master each time)?

If you have a consistent naming scheme you could presign a generate and sign a bunch of keys on the master, and then pull them to the client when you install the client the first time. This might be a bit safer over the autosign. See http://serverfault.com/questions/137292/how-can-i-pre-sign-puppet-certificates — Zoredache, Nov 02 '12 at 18:13

score 5 · Accepted Answer · answered Nov 02 '12 at 17:31

5

Create a file /etc/puppet/autosign.conf on the master, containing the domain names of the hosts for which you want certificates signed automatically.

Example:

www.example.com
*.example.org
*

answered Nov 02 '12 at 17:31

Michael Hampton

237,123
42
477
940

score 3 · Answer 2 · answered Nov 02 '12 at 17:30

3

echo "*" > /etc/puppet/autosign.conf

Or you can be a little more secure (but not really, since a client sets its own cert name; someone wanting illegitimate access to your puppet master would just need to know what name to fake) by limiting it to a specific domain:

echo "*.stackexchange.com" > /etc/puppet/autosign.conf

answered Nov 02 '12 at 17:30

Shane Madden

112,982
12
174
248

This is on the master? – Kyle Brandt Nov 02 '12 at 17:31
@KyleBrandt Yup, on the CA master. That file is the default location (or more specifically, `$confdir/autosign.conf` is the default), but can be changed with the `autosign` setting in `puppet.conf`. – Shane Madden Nov 02 '12 at 17:33
1

@KyleBrandt: Would you like to know more? http://docs.puppetlabs.com/guides/configuring.html – Scott Pack Nov 02 '12 at 17:40

score 2 · Answer 3 · answered Nov 02 '12 at 18:02

I'm personally not a fan of automatically signing these certificates for the reasons already outlined.

I put together a small script kicked off during my kickstarts which runs the following:

echo Configuring local Puppet instance...
/usr/sbin/puppetd --waitforcert 900
sleep 10
echo We will use $HOSTNAME for all future requests...
echo Running server side script..
chvt 1
ssh -q -t $USERNAME@puppetmaster auto_client.sh $HOSTNAME
chvt 6

auto_client.sh

#! /bin/bash
NEWHOST=$1

sudo puppetca --sign $NEWHOST

if ! ( cat /etc/puppet/manifests/* | grep "$NEWHOST" )
then
    NHFILE=/etc/puppet/manifests/temp.pp
    echo node \'$NEWHOST\' >>  $NHFILE
    echo  { >> $NHFILE
    echo    include linux_base >>  $NHFILE
    echo  } >> newhost.cfg >>  $NHFILE
fi

I seriously thought about doing something like using a SSL certificate stored on a USB stick for the SSH connection but this proved more convenient.

Autoaccept all Certs on Puppet Master

3 Answers3