Access to puppet cert on windows host
24 views
Skip to first unread message
Matthias Raithel
Feb 16, 2014, 7:12:58 AM2/16/14
to puppet...@googlegroups.com
Hi
i know this has been somewhat of a topic before (see https://projects.puppetlabs.com/issues/13490) but I'm wondering:
Is there any non-breaking, non-ugly way to have the local system on windows access to the puppet certificate files?
My setup does a little cheating and uses the puppet cert (on Linux machines successfully) to encrypt data traffic between my bacula fds and director.
I tried doing this with the certs under %AppData%/Puppetlabs/Puppet/etc/ssl but - because of the rather strange permissions of that folder - i can't read the cert.
Is there a proper way to fix permissions on that folder without doing anything like patching or post-manifest sync scripts?
(Yes I do realize that keeping certificates safe is very good practice.)
i know this has been somewhat of a topic before (see https://projects.puppetlabs.com/issues/13490) but I'm wondering:
Is there any non-breaking, non-ugly way to have the local system on windows access to the puppet certificate files?
My setup does a little cheating and uses the puppet cert (on Linux machines successfully) to encrypt data traffic between my bacula fds and director.
I tried doing this with the certs under %AppData%/Puppetlabs/Puppet/etc/ssl but - because of the rather strange permissions of that folder - i can't read the cert.
Is there a proper way to fix permissions on that folder without doing anything like patching or post-manifest sync scripts?
(Yes I do realize that keeping certificates safe is very good practice.)
David Schmitt
Feb 17, 2014, 1:45:03 AM2/17/14
to puppet...@googlegroups.com
On 2014-02-16 13:12, Matthias Raithel wrote:
> Is there any non-breaking, non-ugly way to have the local system on
> windows access to the puppet certificate files?
> My setup does a little cheating and uses the puppet cert (on Linux
> machines successfully) to encrypt data traffic between my bacula fds
> and director.
>
> I tried doing this with the certs under
> %AppData%/Puppetlabs/Puppet/etc/ssl but - because of the rather
> strange permissions of that folder - i can't read the cert.
>
> Is there a proper way to fix permissions on that folder without doing
> anything like patching or post-manifest sync scripts?
> (Yes I do realize that keeping certificates safe is very good
> practice.)
When I abuse puppet's CA for things outside puppet, I usually copy the
> Is there any non-breaking, non-ugly way to have the local system on
> windows access to the puppet certificate files?
> My setup does a little cheating and uses the puppet cert (on Linux
> machines successfully) to encrypt data traffic between my bacula fds
> and director.
>
> I tried doing this with the certs under
> %AppData%/Puppetlabs/Puppet/etc/ssl but - because of the rather
> strange permissions of that folder - i can't read the cert.
>
> Is there a proper way to fix permissions on that folder without doing
> anything like patching or post-manifest sync scripts?
> (Yes I do realize that keeping certificates safe is very good
> practice.)
key, cert and ca.pem to the prope place with puppet and add the right
permissions for the target there.
This makes it easy/obvious where to change the cert once a real cert is
required and it keeps puppet and your app from having to stomp over each
other's ACLs.
Copying out the key also makes it obvious why this is generally a bad
idea, as it gives the "other" service" the power to post facts, request
catalogs and talk to puppet:///, potentially requesting other key
material not intended for that service.
Regards, David
Reply all
Reply to author
Forward
0 new messages