Puppet users - Aug 2010 - using puppet ssl certs for other applications

Hello,

As I''ve been building up my puppet infrastructure, I''ve
started using
puppet certs for all of my services that require ssl.  Usually this is
in the form of links:


    file {
        "/opt/syslog-ng/etc/ca.d/b2457b50.0":
            require => Package["syslog-ng"],
            ensure => link,
            target => "/var/lib/puppet/ssl/certs/ca.pem";
    }

Or copying file contents:


    file { ["/var/lib/pgsql/data/server.crt",
            "/home/postgres/.postgresql/postgresql.crt",
            "/root/.postgresql/postgresql.crt",
            ]:
        source  => "/var/lib/puppet/ssl/certs/$fqdn.pem",
        owner   => postgres,
        group   => postgres,
        mode    => 600,
    }

    file { ["/var/lib/pgsql/data/server.key",
            "/home/postgres/.postgresql/postgresql.key",
            "/root/.postgresql/postgresql.key",
            ]:
        source  => "/var/lib/puppet/ssl/private_keys/$fqdn.pem",
        owner   => postgres,
        group   => postgres,
        mode    => 600,
    }

    file { "/var/lib/pgsql/data/root.crt":
        source  => "/var/lib/puppet/ssl/certs/ca.pem",
        owner   => postgres,
        group   => postgres,
        mode    => 600,
    }

Now pretty much any time I have a service that uses ssl, I just use
puppet certs/keys.

The advantages I see:
* It saves me from having to maintain my own separate CA system.
* I don''t have to store sensitive certs/keys in manifests

Is anyone else doing this?  Is it a good idea?  What are the potential
pitfalls?

--Bob

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 08/06/2010 10:47 AM, Bob Belnap wrote:
> Hello,
>
> As I''ve been building up my puppet infrastructure, I''ve
started using
> puppet certs for all of my services that require ssl.  Usually this is
> in the form of links:
>
>    
Bob, you''re absolutely right it''s a big win. I didn''t
even use links, I
just pointed Splunk at the puppet ssl certs.

-- 
--
Joe McDonagh
Operations Engineer
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I would also like to know the same, are there any drawbacks of doing this ?

On Fri, Aug 6, 2010 at 8:41 PM, Joe McDonagh
<joseph.e.mcdonagh@gmail.com>wrote:
> On 08/06/2010 10:47 AM, Bob Belnap wrote:
>
>> Hello,
>>
>> As I''ve been building up my puppet infrastructure,
I''ve started using
>> puppet certs for all of my services that require ssl.  Usually this is
>> in the form of links:
>>
>>
>>
> Bob, you''re absolutely right it''s a big win. I
didn''t even use links, I
> just pointed Splunk at the puppet ssl certs.
>
> --
> --
> Joe McDonagh
> Operations Engineer
> AIM: YoosingYoonickz
> IRC: joe-mac on freenode
> "When the going gets weird, the weird turn pro."
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 8/6/2010 4:47 PM, Bob Belnap wrote:
> Is anyone else doing this?  Is it a good idea?  What are the potential
> pitfalls?
me too.

An important consideration is that if you distribute secrets (db 
passwords etc) with puppet, every application using puppet''s key can 
also access them.


Another drawback is that you bind the service to the identity of your 
server and your shop to puppet''s CA. This reduces your flexibility to 
move services between machines and it doesn''t help if you need a 
customer-facing certificate from an official CA.


Best Regards, David
-- 
dasz.at OG              Tel: +43 (0)664 2602670     Web: http://dasz.at
Klosterneuburg                                         UID: ATU64260999

        FB-Nr.: FN 309285 g          FB-Gericht: LG Korneuburg

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Bob,

Doing the same for LDAP+TLS, it gives me the advantage of not creating
another set of cert/key per machine, besides they are distributed with
puppet, at the beginning I was tempted to use only symlnks to them but later
I decided to make a copy of them and I''ve started to use like that
without
issues so far.

Thanks.

On Fri, Aug 6, 2010 at 9:47 AM, Bob Belnap <bbelnap@gmail.com> wrote:
> Hello,
>
> As I''ve been building up my puppet infrastructure, I''ve
started using
> puppet certs for all of my services that require ssl.  Usually this is
> in the form of links:
>
>
>    file {
>        "/opt/syslog-ng/etc/ca.d/b2457b50.0":
>            require => Package["syslog-ng"],
>            ensure => link,
>            target => "/var/lib/puppet/ssl/certs/ca.pem";
>    }
>
> Or copying file contents:
>
>
>    file { ["/var/lib/pgsql/data/server.crt",
>            "/home/postgres/.postgresql/postgresql.crt",
>            "/root/.postgresql/postgresql.crt",
>            ]:
>        source  => "/var/lib/puppet/ssl/certs/$fqdn.pem",
>        owner   => postgres,
>        group   => postgres,
>        mode    => 600,
>    }
>
>    file { ["/var/lib/pgsql/data/server.key",
>            "/home/postgres/.postgresql/postgresql.key",
>            "/root/.postgresql/postgresql.key",
>            ]:
>        source  =>
"/var/lib/puppet/ssl/private_keys/$fqdn.pem",
>        owner   => postgres,
>        group   => postgres,
>        mode    => 600,
>    }
>
>    file { "/var/lib/pgsql/data/root.crt":
>        source  => "/var/lib/puppet/ssl/certs/ca.pem",
>        owner   => postgres,
>        group   => postgres,
>        mode    => 600,
>    }
>
> Now pretty much any time I have a service that uses ssl, I just use
> puppet certs/keys.
>
> The advantages I see:
> * It saves me from having to maintain my own separate CA system.
> * I don''t have to store sensitive certs/keys in manifests
>
> Is anyone else doing this?  Is it a good idea?  What are the potential
> pitfalls?
>
> --Bob
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
Tony
http://blog.tonyskapunk.net

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I use Puppet''s certs to setup stunnels and do all other private
communication through those. I also reference them directly rather
than copying them around.  I haven''t gone through the whole firedrill
yet but this at least seems like it won''t make moving services between
hosts more painful.

Rich
(iPhoned it in.)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Also, I have something like this for creating the certificates, works just
about fine, and helps in not being paranoid about drawbacks of using
puppet''s certs:

class certs{


                                package  {"openssl":


ensure=>present,

                                                 }

                                file
{"/var/local/certificates/certs.sh":
                                                       
ensure=>"present",

content=>template("certs.erb"),
                                                       
owner=>"puppet",
                                                       
group=>"puppet",
                                                       
mode=>"755",

require=>Package["openssl"],
                                                }

                                exec {"sh certs.sh":

cwd=>"/var/local/certificates",

creates=>["/etc/ldap/server.crt","/etc/ldap/server.key","$

path=>"/usr/bin:/usr/sbin:/bin:/sbin",

require=>File["/var/local/certificates/certs.sh"],
                                        }

                        }


certs.erb:

#!/bin/sh

openssl req -new -x509 -nodes -days 1826 \
 -out /etc/ldap/server.crt \
 -keyout /etc/ldap/server.key  \
 -subj /CN=<%= fqdn %>

# Generate the .pem file
cat /etc/ldap/server.crt \
 /etc/ldap/server.key \
 > /etc/ldap/server.pem

chown openldap:openldap /etc/ldap/server.pem
chown openldap:openldap /etc/ldap/server.crt
chown openldap:openldap /etc/ldap/server.key


I could just add a few lines of copying certs to other locations and set the
required permissions.

On Fri, Aug 6, 2010 at 11:45 PM, Richard Crowley <r@rcrowley.org> wrote:
> I use Puppet''s certs to setup stunnels and do all other private
> communication through those. I also reference them directly rather
> than copying them around.  I haven''t gone through the whole
firedrill
> yet but this at least seems like it won''t make moving services
between
> hosts more painful.
>
> Rich
> (iPhoned it in.)
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

oops, nano. In the above code,

creates=>["/etc/ldap/server.crt","/etc/ldap/server.key","/etc/ldap/server.pem"]

On Sat, Aug 7, 2010 at 9:22 AM, mohit chawla
<mohit.chawla.binary@gmail.com>wrote:
> Also, I have something like this for creating the certificates, works just
> about fine, and helps in not being paranoid about drawbacks of using
> puppet''s certs:
>
> class certs{
>
>
>                                 package  {"openssl":
>
>
> ensure=>present,
>
>                                                  }
>
>                                 file
> {"/var/local/certificates/certs.sh":
>                                                        
ensure=>"present",
>
> content=>template("certs.erb"),
>                                                        
owner=>"puppet",
>                                                        
group=>"puppet",
>                                                        
mode=>"755",
>
> require=>Package["openssl"],
>                                                 }
>
>                                 exec {"sh certs.sh":
>
> cwd=>"/var/local/certificates",
>
>
creates=>["/etc/ldap/server.crt","/etc/ldap/server.key","$
>
> path=>"/usr/bin:/usr/sbin:/bin:/sbin",
>
> require=>File["/var/local/certificates/certs.sh"],
>                                         }
>
>                         }
>
>
> certs.erb:
>
> #!/bin/sh
>
> openssl req -new -x509 -nodes -days 1826 \
>  -out /etc/ldap/server.crt \
>  -keyout /etc/ldap/server.key  \
>  -subj /CN=<%= fqdn %>
>
> # Generate the .pem file
> cat /etc/ldap/server.crt \
>  /etc/ldap/server.key \
>  > /etc/ldap/server.pem
>
> chown openldap:openldap /etc/ldap/server.pem
> chown openldap:openldap /etc/ldap/server.crt
> chown openldap:openldap /etc/ldap/server.key
>
>
> I could just add a few lines of copying certs to other locations and set
> the required permissions.
>
> On Fri, Aug 6, 2010 at 11:45 PM, Richard Crowley <r@rcrowley.org>
wrote:
>
>> I use Puppet''s certs to setup stunnels and do all other
private
>> communication through those. I also reference them directly rather
>> than copying them around.  I haven''t gone through the whole
firedrill
>> yet but this at least seems like it won''t make moving services
between
>> hosts more painful.
>>
>> Rich
>> (iPhoned it in.)
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.