Jira (PUP-9715) puppet cert sign lacks hashsum parameter

[Hadmut Danisch (JIRA)]

Hadmut Danisch created an issue

Puppet / PUP-9715 puppet cert sign lacks hashsum parameter Issue Type: Improvement Assignee: Unassigned Components: Networking Created: 2019/05/22 2:22 AM Priority: Normal Reporter: Hadmut Danisch Hi, on puppet master the client's public key needs to be signed with puppet cert sign clientname   There's two ways to do it: 1) the interactive way where the sha256 hash sum is shown and a human confirms to have checked this 2) the --assume-yes way to blindly sign a key without verifying.   That's insufficent /insecure if clients need to be registered automatically, e.g. with an external script   there show be a command like puppet cert sign clientname hashsum or just puppet cert sign hashsum   which signs the client only if the hashsum is equal to the one given on command line (e.g. fetched directly from the client)     And on the client side there should be some simple command to display the corresponding hash of the cert request, in order to automatically fetch the hash sum from the client and pass it to the master/server to sign that particular hash.   regards     Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-9715

Re: puppet cert sign lacks hashsum parameter Makes sense though I think we'd want to fix that in puppetserver ca sign. On the agent side puppet agent --fingerprint will print something like: # puppet agent --fingerprint (SHA256) 48:A2:82:E2:21:AD:3A:54:C2:D5:1A:75:48:00:3C:8F:91:8C:65:A2:D9:79:5D:B6:8B:11:57:5D:1C:3D:72:89 though it seems to be broken in 6.4.x. I'll file a separate issue for that.

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-9715

puppet cert sign lacks hashsum parameter

Change By: Josh Cooper Team: Server

Add Comment