watzmann.blog

In a previous post, I mentioned that puppetca can be used to pregenerate certificates for puppet clients. Pregenerated certificates can be used very effectively to avoid transferring the client certificate in the clear over a network, for example, by storing them on a USB key, and carrying them by hand from the puppetmaster to the client - of course, this can be easily adapted to any other form of secure out-of-band communication between client and puppetmaster.

The file puppetca.config has the settings necessary to generate keys using the existing puppetmaster's CA onto a USB key. Simply mount the USB key on the puppetmaster at /media/disk and run

puppetca --config=puppetca.config -g HOSTNAME

to create a signed certificate for the client HOSTNAME.

Walk slowly to the client, and mount the USB stick, again at /media/disk, and run the following manifest with puppet:

class puppet-certs {
  $ssldir = "/var/lib/puppet/ssl"
  $fqdn = "$hostname.$domain"
  $src = "/media/disk/puppet"
  file { "$ssldir/private_keys/$fqdn.pem":
    source => "$src/private_keys/$fqdn.pem",
    owner => root, group => root, mode => 0400
  }
  file { "$ssldir/public_keys/$fqdn.pem":
    ensure => absent
  }
  file { "$ssldir/certs/$fqdn.pem":
    source => "$src/certs/$fqdn.pem",
    owner => root, group => root, mode => 0640
  }
  file { "$ssldir/certs/ca.pem":
    source => "$src/certs/ca.pem",
    owner => root, group => root, mode => 0640
  }
}

include puppet-certs

This manifest puts the certificate of the CA, the signed client certificate, and the private key for the signed client certificate in the proper places. Once you have verified that the client can communicate with the puppetmaster without any problems, make sure you delete the files from the USB key, in particular the client's private key. The easiest way to do that is to run

  puppetca --config puppetca.config -c HOSTNAME

with the USB key mounted on the puppetmaster.