Disable Puppet Agent SSL Authentication

[Vishal Sarin]

Folks, 

We manage a LAB of Windows PC where the OS crash is quite often and we need to install a new certs. 

So, we need to delete the certs from Server frequently.

Since its in-premise LAB and so I would like disable security completely and have trust on other mechanism rather than SSL. 

Is this do-able in puppet/foreman?

Please advise. 

Thanks,

-Vishal Sarin

[BJ]

Don't know if this is suitable, but an alternative may be to:

• Generate certificate for host on Puppet master, rather than generating CSR from Puppet agent for signing
• If a host requires rebuild, rebuild it with the same FQDN
• Initiate Puppet agent

?

Without testing, I'm assuming the Puppet agent will grab the existing certificate for its host's FQDN.

Alternatively, you may generate and copy the certificates to a network share, and have a first-run script copy the certificate based on the host's hostname/FQDN to the host before initiating a Puppet run.

Would be interested to know if either method works, should you try.

[jcbollinger]

On Wednesday, October 25, 2017 at 8:47:40 AM UTC-5, Vishal Sarin wrote:

Folks, 

We manage a LAB of Windows PC where the OS crash is quite often and we need to install a new certs. 

So, we need to delete the certs from Server frequently.

Since its in-premise LAB and so I would like disable security completely and have trust on other mechanism rather than SSL. 

Is this do-able in puppet/foreman?

As far as I am aware, no, it is not possible to disable SSL.  Puppet relies deeply on it, not only for authentication and confidentiality, but also for node identity.

You can, however, largely circumvent verification aspect of managing client certs.  There are several ways you could do this, among them

• Generate and install client certs manually, keeping a record of them so that you can re-install them when you re-provision the machine.  This will not happen automatically (no matter how you name the machine during re-provisioning) but you can do it yourself.  This way, you will not need to clean certs for these machines from the server in the first place.
• Turn on the allow_duplicate_certs option in the master's configuration.  This will cause the server to automatically replace old certs with new when a certificate-signing request comes in for a name that it already has a cert for.

If you choose the second option then you will have to take care to avoid having multiple machines with the same certname (which is the same as the hostname by default).

John

[John Gelnaw]

We solved a similar problem by copying the host's cert and keys off to a separate server, and then as part of the build process, we (re)downloaded the client's cert/keys.

All of ours was done with scp and host keys, since it was linux based, but no reason you can't do something similar with windows.