Auto-signing client certificates on Puppet Master Server

I am currently using Puppet to automate infrastructure within a cloud offering, Amazon Web Services (AWS) for those interested!. 

As part of deployment of new instances, I require the client certificate to be automatically signed by the Puppet master server to immediately begin the configuration. 

This can be achieved by allowing the master server to automatically sign all clients (*) certificates, as below:

$ cat /etc/puppet/autosign.conf 

However, this can be perceived to be a security risk as any machine could connect without authorisation and request manifest files which may contain sensitive information. I suppose one other option could be use a filter based on a naming convention (in the below example, the DNS name is used as a match) used internally as below, but again the solution saves time but does not remove the security risk.

$ cat /etc/puppet/autosign.conf 

For those using AWS, I found a great article at where using the EC2 API tools to get the DNS name of the deployed instance and adds this as a trusted client to /etc/puppet/autosign.conf. This then can be run as a CRON job to automatically sign the client certificates on the master server. 


As part of my Puppet Master server installation I wanted to enable Active Directory authentication based on the membership of security group to restrict access to the console rather than using the default local console authentication mechanism.

Firstly, you are required to disable the console authentication by running the following with elevated root privelages:

sudo /opt/puppet/bin/rake -f /opt/puppet/share/console-auth/Rakefile console:auth:disable

Once the console authentication mechanism has been disabled you will be required to edit the following file to use Active Directory authentication by running the following with elevated root privelages:

sudo vi /etc/puppetlabs/httpd/auth.d/ 

In the below example I will use the following configuration settings in order to build the configuration file:

Username: SVCreadad
Password: P@55word!
Domain Controller: DC1
LDAP Search Parameter: OU=Users,DC=dean,DC=local
Security Group: PuppetConsole-Allow

<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName “Puppet Enterprise Console”

# Binding credentials, most AD doesn’t allow anon binding.
AuthLDAPBindDN “CN=SVCreadad,OU=Users,DC=dean,DC=local”
AuthLAPBindPassword “P@55word!”

#User Specification
AuthLDAPURL “ldap://dc1.dean.local/OU=Users,DC=dean,DC=local?SAMAccountName?sub?(objectClass=*)

# Requires that the user is a member of the specified security groups
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=PuppetConsole-Allow,DC=dean,DC=local

</Location >

Save the updated file and run the following command with elevated root privelages:

sudo vi /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf

Uncomment the below line which references the file we have just modified and save the configuration file

# Include /etc/puppetlabs/httpd/auth.d/ 

Restart the pe-httd service by running the following command with elevated root privelages

sudo /etc/init.d/pe-httpd restart