FAQ
Does autosign work? I have a scratch workstation that may be rebuilt frequently and will therefore acquire a new client certificate. I was hoping that adding its certificate name to /etc/puppet/autosign.conf on the puppetmaster would allow just this one client to have its new certificates autosigned. This doesn't appear to work and I can find no logged errors telling me what is wrong. Can someone suggest where to look, please?


Chris Ritson (Computing Officer and School Safety Officer)

Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Luke Bigum at Apr 24, 2012 at 8:42 am
    Autosigning certificates work, what you're probably running into is that
    autosigning does not clear off an old Agent's certificate, so you're
    getting certificate mismatch errors. Puppet's RESTful API allows you to
    manage certificates. It's been a long time since I tested this but I
    have this in my auth.conf:

    #allow hosts to manage certificates
    #path /certificate_status/([^/]+)$
    path /certificate_status/
    auth any
    allow *

    And then I do this in a kickstart file to have each server delete it's
    certificate before it generates a new one and contacts the Puppet Master
    for the first time:

    curl -k -X PUT -H "Content-Type: text/pson" --data
    '{"desired_state":"revoked"}'
    https://puppet:8140/production/certificate_status/$HOSTNAME
    curl -k -X DELETE -H "Accept: pson"
    https://puppet:8140/production/certificate_status/$HOSTNAME

    Check out this page for more information:

    http://docs.puppetlabs.com/guides/rest_api.html

    -Luke
    On 24/04/12 09:34, C R Ritson wrote:
    Does autosign work? I have a scratch workstation that may be rebuilt frequently and will therefore acquire a new client certificate. I was hoping that adding its certificate name to /etc/puppet/autosign.conf on the puppetmaster would allow just this one client to have its new certificates autosigned. This doesn't appear to work and I can find no logged errors telling me what is wrong. Can someone suggest where to look, please?


    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/

    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN


    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • C R Ritson at Apr 24, 2012 at 9:42 am
    Many thanks - this is now working better. What was tripping me up was that if the puppet agent has tried to run, and there is a certificate request on the master, then the next run of the agent either doesn't try to get the coresponding certificate signed or else the auto-signing is silently blocked. Is this a bug, a feature, or just a misunderstanding on my part?

    What are the security implications of allowing clients to manipulate certificates in this way? For now at least I will restrict this to the subset that are likely to need frequent rebuilds.

    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/



    -----Original Message-----
    From: Luke Bigum
    Sent: 24 April 2012 09:42
    To: puppet-users@googlegroups.com
    Cc: C R Ritson
    Subject: Re: [Puppet Users] autosign

    Autosigning certificates work, what you're probably running into is that
    autosigning does not clear off an old Agent's certificate, so you're
    getting certificate mismatch errors. Puppet's RESTful API allows you to
    manage certificates. It's been a long time since I tested this but I
    have this in my auth.conf:

    #allow hosts to manage certificates
    #path /certificate_status/([^/]+)$
    path /certificate_status/
    auth any
    allow *

    And then I do this in a kickstart file to have each server delete it's
    certificate before it generates a new one and contacts the Puppet Master
    for the first time:

    curl -k -X PUT -H "Content-Type: text/pson" --data
    '{"desired_state":"revoked"}'
    https://puppet:8140/production/certificate_status/$HOSTNAME
    curl -k -X DELETE -H "Accept: pson"
    https://puppet:8140/production/certificate_status/$HOSTNAME

    Check out this page for more information:

    http://docs.puppetlabs.com/guides/rest_api.html

    -Luke
    On 24/04/12 09:34, C R Ritson wrote:
    Does autosign work? I have a scratch workstation that may be rebuilt
    frequently and will therefore acquire a new client certificate. I was
    hoping that adding its certificate name to /etc/puppet/autosign.conf on the
    puppetmaster would allow just this one client to have its new certificates
    autosigned. This doesn't appear to work and I can find no logged errors
    telling me what is wrong. Can someone suggest where to look, please?

    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/

    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN


    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Luke Bigum at Apr 24, 2012 at 9:52 am
    Not sure about the first question, are you saying your Agent had a
    non-autosigned certificate waiting on the Puppet Master, then you
    configured auto signing on the Master and expected it to work? I think
    the autosigning is done only when an Agent first connects and it won't
    sign any pending or backlog of certificates (but don't quote me).

    Regarding security, I was originally trying to work with this:

    #allow a host to manage it's own certificate
    #path/certificate_status/([^/]+)$
    path/certificate_status/
    auth any
    allow $1

    Which was supposed to only allow a client to delete it's own certificate
    and only it's own. The $1 wasn't working for me though so I fell back to
    * (all hosts).

    This allows all Agents full control of all operations under
    /certificate_status/, which basically means someone malicious could
    delete all your signed certificates, preventing all Agents from checking
    in. So definitely some implications ;-)

    If you get auth.conf any more secure, let me know.

    -Luke
    On 24/04/12 10:42, C R Ritson wrote:
    Many thanks - this is now working better. What was tripping me up was that if the puppet agent has tried to run, and there is a certificate request on the master, then the next run of the agent either doesn't try to get the coresponding certificate signed or else the auto-signing is silently blocked. Is this a bug, a feature, or just a misunderstanding on my part?

    What are the security implications of allowing clients to manipulate certificates in this way? For now at least I will restrict this to the subset that are likely to need frequent rebuilds.

    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/



    -----Original Message-----
    From: Luke Bigum
    Sent: 24 April 2012 09:42
    To: puppet-users@googlegroups.com
    Cc: C R Ritson
    Subject: Re: [Puppet Users] autosign

    Autosigning certificates work, what you're probably running into is that
    autosigning does not clear off an old Agent's certificate, so you're
    getting certificate mismatch errors. Puppet's RESTful API allows you to
    manage certificates. It's been a long time since I tested this but I
    have this in my auth.conf:

    #allow hosts to manage certificates
    #path /certificate_status/([^/]+)$
    path /certificate_status/
    auth any
    allow *

    And then I do this in a kickstart file to have each server delete it's
    certificate before it generates a new one and contacts the Puppet Master
    for the first time:

    curl -k -X PUT -H "Content-Type: text/pson" --data
    '{"desired_state":"revoked"}'
    https://puppet:8140/production/certificate_status/$HOSTNAME
    curl -k -X DELETE -H "Accept: pson"
    https://puppet:8140/production/certificate_status/$HOSTNAME

    Check out this page for more information:

    http://docs.puppetlabs.com/guides/rest_api.html

    -Luke
    On 24/04/12 09:34, C R Ritson wrote:
    Does autosign work? I have a scratch workstation that may be rebuilt
    frequently and will therefore acquire a new client certificate. I was
    hoping that adding its certificate name to /etc/puppet/autosign.conf on the
    puppetmaster would allow just this one client to have its new certificates
    autosigned. This doesn't appear to work and I can find no logged errors
    telling me what is wrong. Can someone suggest where to look, please?
    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN


    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.

    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN



    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • C R Ritson at Apr 24, 2012 at 1:14 pm
    Having read the scary warnings about autosign, I need to think it through some more. However the helpful comments about allowing a client to revoke and delete its OWN certificate will probably useful on their own. Luke said that his addition to auth.conf was not working. It appears that the interpolation of a substring only works when a pattern-match path specification is used. This works for me (note the ~ ):-

    #allow (some) hosts to manage certificates
    path ~ /certificate_status/test([^/]+)$
    auth any
    allow test$1

    Then in the kick-start file I use Luke's suggested:-

    # Revoke and delete any previous puppet certificate
    curl -k -X PUT -H "Content-Type: text/pson" \
    --data '{"desired_state":"revoked"}' \
    https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk

    curl -k -X DELETE -H "Accept: pson" \
    https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk

    I found I needed to add the domain name here to match the certificate that is generated later.

    If auto-sign is to be avoided, one possibility is a hand-crafted script to look every so-often for new certificate requests and sign them if and only if they match some pre-determined pattern. Doing it this way avoids the lack of pattern matching in autosign.conf in which a * can only match a complete component of a fully qualified domain name and not some other arbitrary substring.

    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
    -----Original Message-----
    From: Luke Bigum

    ... Regarding security, I was originally trying to work with this:


    #allow a host to manage it's own certificate
    path /certificate_status/([^/]+)$ ...
    allow $1
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Antidot SAS at May 2, 2012 at 4:49 pm
    Hi,

    Regarding this issue of $1 not working have you made sure that the DNS
    reverse for your server are right? Because puppet master seems to identify
    the 'allow' from the reverse of the IP resolution...

    Regards,
    JM
    On Tue, Apr 24, 2012 at 11:52 AM, Luke Bigum wrote:

    Not sure about the first question, are you saying your Agent had a
    non-autosigned certificate waiting on the Puppet Master, then you
    configured auto signing on the Master and expected it to work? I think the
    autosigning is done only when an Agent first connects and it won't sign any
    pending or backlog of certificates (but don't quote me).

    Regarding security, I was originally trying to work with this:

    #allow a host to manage it's own certificate
    #path */certificate_status/*([^/]+)$
    path */certificate_status/*
    auth any
    allow $1

    Which was supposed to only allow a client to delete it's own certificate
    and only it's own. The $1 wasn't working for me though so I fell back to *
    (all hosts).

    This allows all Agents full control of all operations under
    /certificate_status/, which basically means someone malicious could delete
    all your signed certificates, preventing all Agents from checking in. So
    definitely some implications ;-)

    If you get auth.conf any more secure, let me know.

    -Luke
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Bill Weiss at Apr 24, 2012 at 4:45 pm
    Autosign works, but not as you're expecting: it will sign new
    certificates, but not overwrite existing ones. At least, that's my
    experience here :)

    --
    Bill Weiss
    Backstop Solutions Group

    On 2012/4/24 3:34 AM, "C R Ritson" wrote:

    Does autosign work? I have a scratch workstation that may be rebuilt
    frequently and will therefore acquire a new client certificate. I was
    hoping that adding its certificate name to /etc/puppet/autosign.conf on
    the puppetmaster would allow just this one client to have its new
    certificates autosigned. This doesn't appear to work and I can find no
    logged errors telling me what is wrong. Can someone suggest where to
    look, please?


    Chris Ritson (Computing Officer and School Safety Officer)

    Room 707, Claremont Tower, EMAIL: C.R.Ritson@ncl.ac.uk
    School of Computing Science, PHONE: +44 191 222 8175
    Newcastle University, FAX : +44 191 222 8232
    Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Apr 25, 2012 at 1:57 pm

    On Apr 24, 11:45 am, Bill Weiss wrote:
    Autosign works, but not as you're expecting: it will sign new
    certificates, but not overwrite existing ones.  At least, that's my
    experience here :)

    And that's as it should be, else the name of the feature would be
    "disable-authentication". Some people do actually seem to want that,
    but Puppet does not offer it, and historically PuppetLabs has resisted
    the idea. I don't blame them.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedApr 24, '12 at 8:34a
activeMay 2, '12 at 4:49p
posts8
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase