Hi, If I install the facter & puppet client software via an automated process (kickstart, jumpstart, imaging) how can I distribute keys so I don''t have to do the certificate signing manually ? Thanks, Andrew --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I had a similiar post a month ago, except I wanted to disable the CA stuff. For my puppet kickstart integration, I did the following: 1. Picked a static ip address and hostname that will be used for all installations. 2. Generate all of the keys for this hostname ahead of time. 3. in the kickstart postconfig section, add lines to create the directory and add the key mkdir /var/lib/puppet/ssl/private_keys echo " RSA-KEY " > /var/lib/puppet/ssl/private_keys/HOSTNAME.pem This may not be secure enough for you, but my use case is behind a firewall. (please double check the dir names, I am not at my workstation) On Tue, Nov 4, 2008 at 2:47 PM, AndrewHolt <andrew_tholt@yahoo.co.uk> wrote:> > Hi, > > If I install the facter & puppet client software via an automated > process (kickstart, jumpstart, imaging) how can I distribute keys so I > don''t have to do the certificate signing manually ? > > Thanks, > Andrew > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
2008/11/4 AndrewHolt <andrew_tholt@yahoo.co.uk>:> > Hi, > > If I install the facter & puppet client software via an automated > process (kickstart, jumpstart, imaging) how can I distribute keys so I > don''t have to do the certificate signing manually ? >You can just turn on autosigning on the puppetmaster. In the past I did something a bit more complex because we had a CA hierarchy and client certs needed to be generated from the correct signing authority - I did this as a ~20 line php web application that pulled the reverse DNS of the requester and handed it a tarball of the certs. Honestly I''d probably just try to do something with autosigning on the puppetmaster - pushing around private keys makes me uncomfortable just on principle. .r'' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Yeah, a simple script which enable autosign for the installed host for example in your kickstart/jumpstart whatever you could do wget http://puppet/install this should contact a simple cgi script which adds the entry of that host to /etc/puppet/autosign.conf than the client runs puppet, which signs the certificate automatically. afterwards, you can either parse the puppet master logs to remove the autosign, or do another wget request which removes the certificate. you might want to do puppetca --clean before you enable the autosign. Ohad On Wed, Nov 5, 2008 at 7:37 AM, RijilV <rijilv@gmail.com> wrote:> > 2008/11/4 AndrewHolt <andrew_tholt@yahoo.co.uk>: > > > > Hi, > > > > If I install the facter & puppet client software via an automated > > process (kickstart, jumpstart, imaging) how can I distribute keys so I > > don''t have to do the certificate signing manually ? > > > > You can just turn on autosigning on the puppetmaster. > > In the past I did something a bit more complex because we had a CA > hierarchy and client certs needed to be generated from the correct > signing authority - I did this as a ~20 line php web application that > pulled the reverse DNS of the requester and handed it a tarball of the > certs. > > Honestly I''d probably just try to do something with autosigning on the > puppetmaster - pushing around private keys makes me uncomfortable just > on principle. > > > .r'' > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---