Hello, I''m new to Puppet and evaluating it against Cfengine and Chef for the management of multiple thousands of Ubuntu desktops. The desktops can be reinstalled at any time by technical site operators and they may or may not change the computer name. This happens fairly often and if the name stays the same, I get: err: Could not request certificate: The certificate retrieved from the master does not match the agent''s private key because the desktop''s SSL certificate changes when the desktop is rebuilt. To solve this problem I need to go on the server and do a: puppet cert clean <fqdn of client> But this is not practical in an environment where many computers can be reinstalled at any time. Is there a solution to this ? Can the agent tell the master to clean the key for its hostname ? I do not have this issue with cfengine, because the identifier is simply the MD5 of the certificate, not the hostname. I just need to cleanup the list of unused certificates on the server side every once in a while. Thanks, Jerome -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/H5apxlHZdxoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jonathan Proulx
2012-Aug-15 16:25 UTC
Re: [Puppet Users] Automatic cleanup of client certificate ?
There is a config option I just started looking at:
allow_duplicate_certs
Whether to allow a new certificate request to overwrite an existing
certificate.
but it seems from
http://comments.gmane.org/gmane.comp.sysutils.puppet.bugs/21676 that
this only works when manually creating certs not in the use case
you''re looking for.
The possibly more correct thing would be to save the certificates when
reinstalling or possibly have your installer install the correct certs
for each system this would prevent clients from impersonating each
other.
An other option I''m looking at is using a generic certificate on all
these systems and setting "certname" in puppet.conf so they are all
"ephemeralhost" or some such.
I''m looking for a similar solution for ephemeral virtual systems in a
private cloud (I can also have name space collisions so different
active systems that think they are foo.cloud possibly doing very
different things). So if anyone has better suggestions I''m very
interested in hearing them.
Having used CFengine for more than a decade my advice is run from it.
It was good in it''s day but doesn''t provide the necessary
level of
abstraction, it beats a pile of shell scripts but only just. Puppet
and Chef are both good options depending mostly on personal preference
IMO, I haven''t given "Juju" a proper look, which is the
Ubuntu way,
if you have a 100% Ubuntu environment it may be worth a look.
-Jon
On Wed, Aug 15, 2012 at 8:53 AM, jerome <jerome.steunenberg@gmail.com>
wrote:> Hello,
>
> I''m new to Puppet and evaluating it against Cfengine and Chef for
the management of multiple thousands of Ubuntu desktops.
> The desktops can be reinstalled at any time by technical site operators and
they may or may not change the computer name.
> This happens fairly often and if the name stays the same, I get:
>
> err: Could not request certificate: The certificate retrieved from the
master does not match the agent''s private key
>
> because the desktop''s SSL certificate changes when the desktop is
rebuilt.
> To solve this problem I need to go on the server and do a:
>
> puppet cert clean <fqdn of client>
> But this is not practical in an environment where many computers can be
reinstalled at any time.
> Is there a solution to this ? Can the agent tell the master to clean the
key for its hostname ?
>
> I do not have this issue with cfengine, because the identifier is simply
the MD5 of the certificate, not the hostname. I just need to cleanup the list of
unused certificates on the server side every once in a while.
>
> Thanks,
>
> Jerome
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/H5apxlHZdxoJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2012-Aug-15 16:36 UTC
Re: [Puppet Users] Automatic cleanup of client certificate ?
On Wed, Aug 15, 2012 at 5:53 AM, jerome <jerome.steunenberg@gmail.com> wrote:> Hello, > > I''m new to Puppet and evaluating it against Cfengine and Chef for the management of multiple thousands of Ubuntu desktops. > The desktops can be reinstalled at any time by technical site operators and they may or may not change the computer name. > This happens fairly often and if the name stays the same, I get: > > err: Could not request certificate: The certificate retrieved from the master does not match the agent''s private key > > because the desktop''s SSL certificate changes when the desktop is rebuilt. > To solve this problem I need to go on the server and do a: > > puppet cert clean <fqdn of client> > > But this is not practical in an environment where many computers can be reinstalled at any time. > Is there a solution to this ? Can the agent tell the master to clean the key for its hostname ?I think the certs should be tied with the lifecycle of the system (i.e. new cert with new os). I would suggest changing the certname option to use an uuid instead of the hostname as default. If you still want to use the hostname as the node identifier change node_name option to use the hostname fact. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stephen Jahl
2012-Aug-15 16:53 UTC
Re: [Puppet Users] Automatic cleanup of client certificate ?
On Wed, Aug 15, 2012 at 8:53 AM, jerome <jerome.steunenberg@gmail.com> wrote:>Can the agent tell the master to clean the key for its hostname ?This is possible, if you are comfortable with opening up access to the puppet REST API on the master. In auth.conf, you can change the options for the /certificiate_request path, to allow ''destroy'' operations to be initiated: <snip> path /certificate_status/ auth yes method find, save, destroy allow *.domain <snip> From the client, you can run a curl which cleans the certificates, provided you''ve got the puppet CA cert and client key, which could easily be thrown into a script that''s run before reinstallation. curl --cert /var/lib/puppet/ssl/certs/client.fqdn.pem --key /var/lib/puppet/ssl/private_keys/client.fqdn.pem --cacert /var/lib/puppet/ssl/certs/ca.pem -k -X DELETE -H "Accept: pson" https://puppetmaster:8140/production/certificate_status/fqdn.client More info is here: http://docs.puppetlabs.com/guides/rest_api.html#certificate-status Again, there are some security implications of opening this up, so think about it a bit before you do it. Just figured I''d post a proof of concept :) -Steve -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hello, Thanks a lot for your input. Steve''s solution is not possible in my environment because I do not have the previous client cert on reinstallation. Nan''s solution seems to work fine in my context: On the server: /etc/puppet/autosign.conf: *.mydomain On the client:/etc/puppet/puppet.conf [agent] certname="mydesktop-201208160928.mydomain" # rm -rf /var/lib/puppet/ssl # puppet agent --test This is generated at install time of course. The cert is automatically signed. It works fine if you just change the certname again and relaunch the agent. The nice side-effect is that I can have a cleanup script on the server that does a puppet cert clean for all mydesktop-*.mydomain except the most recent one. Thanks, Jerome On Wednesday, August 15, 2012 2:53:59 PM UTC+2, jerome wrote:> > Hello, > > I''m new to Puppet and evaluating it against Cfengine and Chef for the > management of multiple thousands of Ubuntu desktops. > The desktops can be reinstalled at any time by technical site operators > and they may or may not change the computer name. > This happens fairly often and if the name stays the same, I get: > > err: Could not request certificate: The certificate retrieved from the > master does not match the agent''s private key > > because the desktop''s SSL certificate changes when the desktop is rebuilt. > To solve this problem I need to go on the server and do a: > > puppet cert clean <fqdn of client> > > But this is not practical in an environment where many computers can be > reinstalled at any time. > Is there a solution to this ? Can the agent tell the master to clean the > key for its hostname ? > > I do not have this issue with cfengine, because the identifier is simply > the MD5 of the certificate, not the hostname. I just need to cleanup the > list of unused certificates on the server side every once in a while. > > Thanks, > > Jerome > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/d_BB73QJ0J0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2012-Aug-16 07:55 UTC
Re: [Puppet Users] Re: Automatic cleanup of client certificate ?
On Thu, Aug 16, 2012 at 10:42 AM, jerome <jerome.steunenberg@gmail.com>wrote:> Hello, > > Thanks a lot for your input. Steve''s solution is not possible in my > environment because I do not have the previous client cert on > reinstallation. > > Nan''s solution seems to work fine in my context: > > On the server: /etc/puppet/autosign.conf: > *.mydomain > > On the client:/etc/puppet/puppet.conf > [agent] > certname="mydesktop-201208160928.mydomain" > > # rm -rf /var/lib/puppet/ssl > # puppet agent --test > > This is generated at install time of course. > The cert is automatically signed. > It works fine if you just change the certname again and relaunch the agent. > > The nice side-effect is that I can have a cleanup script on the server > that does a puppet cert clean for all mydesktop-*.mydomain except the most > recent one. >If you are interested, you could also use foreman, which would deploy your systems and automatically clean up the certs for you. Ohad> > Thanks, > > Jerome > > > On Wednesday, August 15, 2012 2:53:59 PM UTC+2, jerome wrote: >> >> Hello, >> >> I''m new to Puppet and evaluating it against Cfengine and Chef for the >> management of multiple thousands of Ubuntu desktops. >> The desktops can be reinstalled at any time by technical site operators >> and they may or may not change the computer name. >> This happens fairly often and if the name stays the same, I get: >> >> err: Could not request certificate: The certificate retrieved from the >> master does not match the agent''s private key >> >> because the desktop''s SSL certificate changes when the desktop is rebuilt. >> To solve this problem I need to go on the server and do a: >> >> puppet cert clean <fqdn of client> >> >> But this is not practical in an environment where many computers can be >> reinstalled at any time. >> Is there a solution to this ? Can the agent tell the master to clean the >> key for its hostname ? >> >> I do not have this issue with cfengine, because the identifier is simply >> the MD5 of the certificate, not the hostname. I just need to cleanup the >> list of unused certificates on the server side every once in a while. >> >> Thanks, >> >> Jerome >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/d_BB73QJ0J0J. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.