http://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#policy-executable-api
I've made the following modification which works.
#!/bin/bash
HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in
"/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" |
awk -F ":" '{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I'd still be interested to see what others are doing with policy based auto
signing though.
On Monday, February 17, 2014 3:20:50 PM UTC+1, George Brown wrote:
Hi,
I'm trying to create an autosign policy which checks for a custom
attribute in the CSR but I'm having some issue with the master not signing
the request.
My client has the following in /etc/puppet/csr_attributes.yaml
custom_attributes:
1.2.840.113549.1.9.7: foo
My policy is a simple bash script, in this case checking for foo
#!/bin/bash
CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":"
'{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I had tested with the following, I'm guessing the issue is with my script
not reading in the CSR from puppet? If anyone has any examples of policies
they have created I would love to see them (this seems to be lacking in the
puppet documentation).
sudo openssl req -noout -text -in
/var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo
$?
Many thanks,
George
--Hi,
I'm trying to create an autosign policy which checks for a custom
attribute in the CSR but I'm having some issue with the master not signing
the request.
My client has the following in /etc/puppet/csr_attributes.yaml
custom_attributes:
1.2.840.113549.1.9.7: foo
My policy is a simple bash script, in this case checking for foo
#!/bin/bash
CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":"
'{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I had tested with the following, I'm guessing the issue is with my script
not reading in the CSR from puppet? If anyone has any examples of policies
they have created I would love to see them (this seems to be lacking in the
puppet documentation).
sudo openssl req -noout -text -in
/var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo
$?
Many thanks,
George
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/fdff0a68-c613-47ac-9910-002b15b34598%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.