puppetlabs / puppet-agent-bootstrap Goto Github PK

1.0 93.0 8.0 42 KB

License: Apache License 2.0

Ruby 100.00%

puppet-agent-bootstrap's Introduction

This module will no longer receive updates.
⚠️ As of Puppet 7.27 and 8.3, the built in `puppet ssl` command now supports bootstrapping an offline agent. Instead of this module, you should use `puppet ssl generate_request`.

Puppet Agent Bootstrap

This is a Puppet App that provides the puppet bootstrap command used to generate and validate a Puppet Agent's certificate signing request that isn't being sent directly to a Puppet Server Certificate Authority. And example use case for this would be for generating a CSR that would be submitted to a service that can communicate with the CA and then validating the signed request when it was returned before proceeding with the rest of the agent configuration.

This module is maintained by Puppet and used by our OpsWorks integration, but we have no plans for future feature development. We will keep it working with current versions of Puppet, but new feature development will come from community contributions. It does not qualify for Puppet Support plans.

[tier:maintenance-mode]

Commands

puppet bootstrap purge

Deletes the agent's certificate, csr, and the Puppet Servers CA. A more graceful version of rm -rf /etc/puppetlabs/puppet/ssl/*.

Useful to run as even with a lockfile present, the Puppet Daemon may attempt to generate a CSR before you want it to.

puppet bootstrap csr

Performs the CSR generation function and returns the fingerprint and name of the CSR. What this app was written to perform.

puppet bootstrap verify

Validates that the returned certificate and private key work together, and can connect successfully to the Puppet Server. This is saner step towards validating one has the right certificate before unlocking the agent and performing a full Puppet run.

Limitations

This is working in the SSL handling components of the Puppet system and behavior could change in the future. This module should go away once above features are added to core Puppet.

Contributors

Original Author: Adrien Thebo

Maintainers: Puppet

puppet-agent-bootstrap's People

Contributors

Stargazers

Watchers

Forkers

joel-m-allen optionalg mrzarquon jing-1strategy shaigy isabella232 seankumar-tl rharrison10

puppet-agent-bootstrap's Issues

puppet bootstrap validate fails on Puppet 6

Describe the Bug

The latest PRs merged into the master branch #13 #10 have the purge and csr commands working correctly with Puppet 6 but the validate command fails because it didn't download the CA or CRL from the Puppet Server.

# puppet bootstrap verify
Notice: Found a certificate for i-0e83examplea2ef8d
Notice: Private key matches certificate
Error: Failed to initialize SSL: The CA certificates are missing from '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
Error: Run `puppet agent -t`
Error: Connection to https://dev-puppetmaster-example.us-east-1.opsworks-cm.io:8140/puppet/v3 failed, trying next route: Request to https://dev-puppetmaster-example.us-east-1.opsworks-cm.io:8140/puppet/v3 failed after 0.0 seconds: The CA certificates are missing from '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
Wrapped exception:
The CA certificates are missing from '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
Error: Unable to reach Puppet master: No more routes to puppet

Expected Behavior

The validate command downloads the necessary resources from the Puppet Server and successfully validates the certificate has been signed by the server and it is now safe to run the puppet agent command without errors.

Steps to Reproduce

Steps to reproduce the behavior:

Configure puppet.conf and csr_attributes.yaml correctly to generate a CSR with the correct certname, server, and certificate extensions.
Install the puppet-agent-bootstrap module built from the master branch: puppet module install /tmp/puppetlabs-bootstrap-0.2.2.tar.gz --ignore-dependencies
Run puppet bootstrap purge to clean out any certificate activity or configuration before we were ready
Run puppet bootstrap csr to generate a new CSR with the correct certname and extensions.
Submit the CSR to the server and sign it.
Return the signed cert to the instance in the correct directory
Run puppet bootstrap validate to get the CA and CRL from the server to validate the certificate is correct and signed.

Environment

Version puppet --version
6.21.1
Platform Amazon Linux 2

Additional Context

These commands are run in the boot strap script included from the OpsWorks Puppet starter pack that we downloaded when we created the server.

add validate function

Being able to validate that $certname is signed and trusted correctly against the existing ssl private key, public key, and certificate in ssl/certs/$certname.pem would be another good option to have.

puppet bootstrap validate

returns 0 if:
can load certificate
can contact puppetserver (maybe?), to verify that the certificate it has signed can talk to the server in the puppet.conf?

without doing a full puppet run.

puppetlabs / puppet-agent-bootstrap Goto Github PK

puppet-agent-bootstrap's Introduction

Puppet Agent Bootstrap

Commands

Limitations

Contributors

puppet-agent-bootstrap's People

Contributors

Stargazers

Watchers

Forkers

puppet-agent-bootstrap's Issues

Describe the Bug

Expected Behavior

Steps to Reproduce

Environment

Additional Context

Recommend Projects

Recommend Topics

Recommend Org