Disable Puppet Agent SSL Authentication

1,327 views
Skip to first unread message

Vishal Sarin

unread,
Oct 25, 2017, 9:47:40 AM10/25/17
to Puppet Users
Folks, 

We manage a LAB of Windows PC where the OS crash is quite often and we need to install a new certs. 

So, we need to delete the certs from Server frequently.

Since its in-premise LAB and so I would like disable security completely and have trust on other mechanism rather than SSL. 

Is this do-able in puppet/foreman?

Please advise. 

Thanks,
-Vishal Sarin

BJ

unread,
Oct 25, 2017, 11:02:19 AM10/25/17
to Puppet Users
Don't know if this is suitable, but an alternative may be to:
  • Generate certificate for host on Puppet master, rather than generating CSR from Puppet agent for signing
  • If a host requires rebuild, rebuild it with the same FQDN
  • Initiate Puppet agent
?

Without testing, I'm assuming the Puppet agent will grab the existing certificate for its host's FQDN.

Alternatively, you may generate and copy the certificates to a network share, and have a first-run script copy the certificate based on the host's hostname/FQDN to the host before initiating a Puppet run.

Would be interested to know if either method works, should you try.

jcbollinger

unread,
Oct 26, 2017, 8:58:03 AM10/26/17
to Puppet Users


On Wednesday, October 25, 2017 at 8:47:40 AM UTC-5, Vishal Sarin wrote:
Folks, 

We manage a LAB of Windows PC where the OS crash is quite often and we need to install a new certs. 

So, we need to delete the certs from Server frequently.

Since its in-premise LAB and so I would like disable security completely and have trust on other mechanism rather than SSL. 

Is this do-able in puppet/foreman?


As far as I am aware, no, it is not possible to disable SSL.  Puppet relies deeply on it, not only for authentication and confidentiality, but also for node identity.

You can, however, largely circumvent verification aspect of managing client certs.  There are several ways you could do this, among them
  • Generate and install client certs manually, keeping a record of them so that you can re-install them when you re-provision the machine.  This will not happen automatically (no matter how you name the machine during re-provisioning) but you can do it yourself.  This way, you will not need to clean certs for these machines from the server in the first place.
  • Turn on the allow_duplicate_certs option in the master's configuration.  This will cause the server to automatically replace old certs with new when a certificate-signing request comes in for a name that it already has a cert for.
If you choose the second option then you will have to take care to avoid having multiple machines with the same certname (which is the same as the hostname by default).


John

John Gelnaw

unread,
Oct 27, 2017, 2:38:10 PM10/27/17
to Puppet Users

We solved a similar problem by copying the host's cert and keys off to a separate server, and then as part of the build process, we (re)downloaded the client's cert/keys.

All of ours was done with scp and host keys, since it was linux based, but no reason you can't do something similar with windows.
Reply all
Reply to author
Forward
0 new messages