How to force resigning of existing certificate
74 views
Skip to first unread message
heeyoung kim
Dec 9, 2014, 5:54:19 PM12/9/14
to puppet...@googlegroups.com
Hello
I am so curious how to resign certificate on puppet master after agents rebuild OS.
I found a good article as follows.
However, the below site ,posterous.com, closed.
"OK, just had to post this! I found a solution to my issues that may
help others.
http://glarizza.posterous.com/managing-puppet-ssl-certificates
Basically a CGI script located on you CA Server. You can pass the
hostname/certname that you want to clean via http to the script and
have it clean it off the CA Server. More details in the link above.
This is working great for me and I'll be using it until similar
functionality is included by default in puppet."
help others.
http://glarizza.posterous.com/managing-puppet-ssl-certificates
Basically a CGI script located on you CA Server. You can pass the
hostname/certname that you want to clean via http to the script and
have it clean it off the CA Server. More details in the link above.
This is working great for me and I'll be using it until similar
functionality is included by default in puppet."
Does anyone know how to make the script?
I am new to linux, puppet and script, so I appreciate you with any solution, idea and advice!!
Thanks,
Felix Frank
Dec 12, 2014, 7:49:16 AM12/12/14
to puppet...@googlegroups.com
Hi,
to re-iterate the point: Doing this is a Very Bad Idea in terms of security.
If you don't care at all, the script would look like the following. PHP
pseudocode example, choose your poison at will, of course.
<?php
system('sudo puppet cert clean ' . $_GET['node']);
You can invoke it e.g. using
wget -O/dev/null https://your.master.fqdn/blast_cert?node=`puppet agent
--configprint certname`
to remove the certificate of the machine that is calling.
But again - please consider creating a secure channel from whatever
infrastructural component that is responsible for the re-provisioning,
so that the old certificates can be removed in a safe fashion.
HTH,
Felix
On 12/09/2014 11:54 PM, heeyoung kim wrote:
> Hello
>
> I am so curious how to resign certificate on puppet master after agents
> rebuild OS.
>
> I found a good article as follows.
> https://groups.google.com/forum/#!topic/puppet-users/vTLcGA87buo
> <https://groups.google.com/forum/#%21topic/puppet-users/vTLcGA87buo>
> /"OK, just had to post this! I found a solution to my issues that may
> /
> /
to re-iterate the point: Doing this is a Very Bad Idea in terms of security.
If you don't care at all, the script would look like the following. PHP
pseudocode example, choose your poison at will, of course.
<?php
system('sudo puppet cert clean ' . $_GET['node']);
You can invoke it e.g. using
wget -O/dev/null https://your.master.fqdn/blast_cert?node=`puppet agent
--configprint certname`
to remove the certificate of the machine that is calling.
But again - please consider creating a secure channel from whatever
infrastructural component that is responsible for the re-provisioning,
so that the old certificates can be removed in a safe fashion.
HTH,
Felix
On 12/09/2014 11:54 PM, heeyoung kim wrote:
> Hello
>
> I am so curious how to resign certificate on puppet master after agents
> rebuild OS.
>
> I found a good article as follows.
> https://groups.google.com/forum/#!topic/puppet-users/vTLcGA87buo
> /"OK, just had to post this! I found a solution to my issues that may
> help others.
>
> http://glarizza.posterous.com/managing-puppet-ssl-certificates
> <http://glarizza.posterous.com/managing-puppet-ssl-certificates>
>
> Basically a CGI script located on you CA Server. You can pass the
> hostname/certname that you want to clean via http to the script and
> have it clean it off the CA Server. More details in the link above.
> This is working great for me and I'll be using it until similar
> functionality is included by default in puppet."/
>
> http://glarizza.posterous.com/managing-puppet-ssl-certificates
> <http://glarizza.posterous.com/managing-puppet-ssl-certificates>
>
> Basically a CGI script located on you CA Server. You can pass the
> hostname/certname that you want to clean via http to the script and
> have it clean it off the CA Server. More details in the link above.
> This is working great for me and I'll be using it until similar
> /
> /
Martijn
Dec 12, 2014, 1:55:30 PM12/12/14
to puppet...@googlegroups.com
Here's an archive.org copy of the Posterous article you linked: https://web.archive.org/web/20130304065656/http://glarizza.posterous.com/managing-puppet-ssl-certificates
It provides some example code that may be helpful to you.
Regards, Martijn
Op dinsdag 9 december 2014 23:54:19 UTC+1 schreef heeyoung kim:
Op dinsdag 9 december 2014 23:54:19 UTC+1 schreef heeyoung kim:
heeyoung kim
Dec 22, 2014, 4:10:36 AM12/22/14
to puppet...@googlegroups.com
Thanks for you guys' answers.
I added curl script before regenerating certificate on nodes and it works fine.
Yup, It has the security issue.. Let me try to follow the martin's link.
Thanks again!!!
Thank you
Reply all
Reply to author
Forward
0 new messages