Auto-signing client certificates on Puppet Master Server

I am currently using Puppet to automate infrastructure within a cloud offering, Amazon Web Services (AWS) for those interested!. 

As part of deployment of new instances, I require the client certificate to be automatically signed by the Puppet master server to immediately begin the configuration. 

This can be achieved by allowing the master server to automatically sign all clients (*) certificates, as below:

$ cat /etc/puppet/autosign.conf 
*

However, this can be perceived to be a security risk as any machine could connect without authorisation and request manifest files which may contain sensitive information. I suppose one other option could be use a filter based on a naming convention (in the below example, the DNS name is used as a match) used internally as below, but again the solution saves time but does not remove the security risk.

$ cat /etc/puppet/autosign.conf 
*.dean.local

For those using AWS, I found a great article at http://www.codelord.net/2010/12/19/using-puppet-to-automatically-configure-new-ec2-instances where using the EC2 API tools to get the DNS name of the deployed instance and adds this as a trusted client to /etc/puppet/autosign.conf. This then can be run as a CRON job to automatically sign the client certificates on the master server. 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s