14

I am wondering how to manually (using openssl instead of puppet ca command) create CA that would be usable by Puppet? The goal would be to script creation of such CA's to deploy them on multiple puppetmasters, instead of certificates being created on them via puppet cert command.

Any ideas on how to do it? I was only able to find something like that: https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/HowTo/Set_up_a_standalone_puppetmaster but it fails to work - after creating CA and client cert and applying them to puppetmaster, it complains with:

Feb 16 09:35:20 test puppet-master[81728]: Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.
Feb 16 09:35:20 test puppet-master[81728]: Certificate fingerprint: 4F:08:AE:01:B9:14:AC:A4:EA:A7:92:D7:02:E9:34:39:1C:5F:0D:93:A0:85:1C:CF:68:E4:52:B8:25:D1:11:64
Feb 16 09:35:20 test puppet-master[81728]: To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
Feb 16 09:35:20 test puppet-master[81728]: On the master:
Feb 16 09:35:20 test puppet-master[81728]:   puppet cert clean test
Feb 16 09:35:20 test puppet-master[81728]: On the agent:
Feb 16 09:35:20 test puppet-master[81728]:   rm -f /var/puppet/ssl/certs/test.pem
Feb 16 09:35:20 test puppet-master[81728]:   puppet agent -t
SpankMe
  • 251
  • 1
  • 2
  • 4
  • http://projects.puppetlabs.com/projects/1/wiki/certificates_and_security#Manual-CA-Configuration-optional – Daniel t. Feb 15 '13 at 21:14
  • Thanks, but unfortunately, it only says its possible, without showing how. I addition to that, it refers to quite old version of Puppet. – SpankMe Feb 16 '13 at 08:29
  • @SpankMe Why not just use `puppet cert generate`? – Shane Madden Feb 16 '13 at 08:46
  • 3
    @Shane Because I would have to wrap system commands in scripts with Popen objects, validate their output by text parsing... Its much less flexible and 'kosher' than simply using openssl library, and in addition to that requires puppet installation on a server, where it shouldn't be installed - I only want to pregenerate puppet's CA and client certs there, and then distribute those to proper machines. – SpankMe Feb 16 '13 at 08:59

3 Answers3

1

The agent is not using the pregenerated client certificate. It created a CSR (with a new key) instead, so the master will not trust the agent.

Make sure that the files found in

`puppet agent --configprint ssldir`/{certs,private_keys}/`puppet agent --configprint certname`

are identical to those that you pregenerated and put on your master as well. (The master should not receive a copy of the agent's private key.)

Felix Frank
  • 3,093
  • 1
  • 16
  • 22
-1

I don't know why would you ever need a script that generates certs? Once puppet generates the cert that should be good for as long as you have the client (agent). Unless you removed the client and create a new client machine with the same hostname. If you run puppet, it will complain saying that there is private key mismatch. Instead you should clean out the cert on the puppet server whenever you don't need the client (e.g. you are reinstalling OS or recreating a virtual machine) with puppet cert clean test on puppetmaster.

Nikolas Sakic
  • 492
  • 2
  • 8
-1

Plese, refer this URL. this URL maybe help your problem solving https://docs.puppet.com/puppet/5.0/ssl_regenerate_certificates.html

Jishin AV
  • 1
  • 3
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Jenny D Jul 12 '17 at 13:12