Download as PDF, PPTX
![11/18www.camptocamp.com /
Cleaning certificats on CA
■ Required before new certificate
can be generated
■ Requires to tune the CA API in auth.conf
{
name: "Allow nodes to delete their own certificates",
match-request: {
path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$"
type: regex
method: [delete]
},
Allow: "$2",
sort-order: 500
}](https://image.slidesharecdn.com/puppetcertrenewal-190205130649/85/Automating-Puppet-Certificates-Renewal-11-320.jpg)
![12/18www.camptocamp.com /
Unique renewal tokens
■ Use hashed token incl. unchangeable trusted facts
■ Sample hashing function (compatible with Terraform's
base64sha256 builtin function)
■ Generate unique token per node in Puppet manifest:
Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args|
Digest::SHA256.base64digest(args[0])
end
# $psk is a secret parameter (e.g. from hiera)
# $certname comes from trusted facts
$token = base64_sha256("${psk}/${certname}")](https://image.slidesharecdn.com/puppetcertrenewal-190205130649/85/Automating-Puppet-Certificates-Renewal-12-320.jpg)
![13/18www.camptocamp.com /
Adapt autosign script
#!/usr/bin/env ruby
require 'openssl'
request = STDIN.read
csr = OpenSSL::X509::Request.new(request)
# Don't you love OpenSSL's nested values?
challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value
exit 3 if challenge.nil?
certname = ARGV[0]
hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}")
if challenge == hash
exit 0
end
exit 1](https://image.slidesharecdn.com/puppetcertrenewal-190205130649/85/Automating-Puppet-Certificates-Renewal-13-320.jpg)
![14/18www.camptocamp.com /
Throw in certificate extensions
def get_ext(csr, name)
Puppet::SSL::Oids.register_puppet_oids
# Some more OpenSSL nested values
exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value
# Turtles all the way down
val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value
OpenSSL::ASN1.decode(val).value
end
pp_role = get_ext(csr, 'pp_role')
pp_environment = get_ext(csr, 'pp_environment')
hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}")
■ Lock token to specific trusted facts](https://image.slidesharecdn.com/puppetcertrenewal-190205130649/85/Automating-Puppet-Certificates-Renewal-14-320.jpg)
![15/18www.camptocamp.com /
Couple with trusted facts provisioning
$role = $::trusted['extensions']['pp_role']
include sprintf(
'::roles_c2c::%s', regsubst($role, '/', '::', 'G')
)
■ Dynamic provisioning (no server code added)
■ Safe because linked to certificate](https://image.slidesharecdn.com/puppetcertrenewal-190205130649/85/Automating-Puppet-Certificates-Renewal-15-320.jpg)
Uploaded byRaphaël PINSON
Automating Puppet Certificates Renewal
This document discusses automating the renewal of Puppet certificates for both the Puppet CA certificate and agent certificates. It describes using the puppetlabs-certregen module to regenerate the CA certificate before expiration and generating unique renewal tokens to securely automate approval of agent certificate signing requests. It also discusses integrating certificate extensions to provision roles and environments based on the certificate and tying the renewal process to trusted facts for security.
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
Automating Puppet Certificates Renewal
- 1. Automating Puppet CertificatesRenewal Raphaël Pinson
- 2. 2/18www.camptocamp.com / Who amI? ■ Raphaël Pinson (@raphink) ○ Infrastructure Developer & Training Leader ○ Augeas & Augeasproviders developer ○ Various contributions to Puppet & Ecosystem
- 3. 3/18www.camptocamp.com / Camptocamp ■ Switzerland/ France / Germany ■ Open-source development/integration expert ■ ~ 90 employees ■ Puppet user and contributor since 2008 ■ Main contributor to the Puppet Forge
- 4. 4/18www.camptocamp.com / CA certhas expired
- 5. 5/18www.camptocamp.com / CA renewaloptions NEWCAKEY PAIR NEWCACERT FROMKEYPAIR AUTOMATECA CERTDEPLOYMENT AUTOMATEAGENT CERTDEPLOYMENT
- 6.
- 7. 7/18www.camptocamp.com / puppetlabs/certgen ■ Installfrom Puppet Forge mod 'puppetlabs-certregen', '0.2.0' ■ Regenerate CA cert $ sudo puppet certregen ca ca_serial 01–ca_serial 01 ■ Deploy new CA cert (before it expires!) include certregen::client
- 8. 8/18www.camptocamp.com / How aboutagent certificates?
- 9. 9/18www.camptocamp.com / Certificate autosign ■autosign.conf ○ Insecure by design ○ Don't use ■ Autosign policy ○ (possibly) secure autosigning ○ Use psk, unique tokens, etc. ○ See also danieldreier/puppet-autosign
- 10. 10/18www.camptocamp.com / The puppet_certificatetype ■ Automate Puppet certificate generation ■ Manage with Puppet manifests
- 11. 11/18www.camptocamp.com / Cleaning certificatson CA ■ Required before new certificate can be generated ■ Requires to tune the CA API in auth.conf { name: "Allow nodes to delete their own certificates", match-request: { path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$" type: regex method: [delete] }, Allow: "$2", sort-order: 500 }
- 12. 12/18www.camptocamp.com / Unique renewaltokens ■ Use hashed token incl. unchangeable trusted facts ■ Sample hashing function (compatible with Terraform's base64sha256 builtin function) ■ Generate unique token per node in Puppet manifest: Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args| Digest::SHA256.base64digest(args[0]) end # $psk is a secret parameter (e.g. from hiera) # $certname comes from trusted facts $token = base64_sha256("${psk}/${certname}")
- 13. 13/18www.camptocamp.com / Adapt autosignscript #!/usr/bin/env ruby require 'openssl' request = STDIN.read csr = OpenSSL::X509::Request.new(request) # Don't you love OpenSSL's nested values? challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value exit 3 if challenge.nil? certname = ARGV[0] hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}") if challenge == hash exit 0 end exit 1
- 14. 14/18www.camptocamp.com / Throw incertificate extensions def get_ext(csr, name) Puppet::SSL::Oids.register_puppet_oids # Some more OpenSSL nested values exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value # Turtles all the way down val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value OpenSSL::ASN1.decode(val).value end pp_role = get_ext(csr, 'pp_role') pp_environment = get_ext(csr, 'pp_environment') hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}") ■ Lock token to specific trusted facts
- 15. 15/18www.camptocamp.com / Couple withtrusted facts provisioning $role = $::trusted['extensions']['pp_role'] include sprintf( '::roles_c2c::%s', regsubst($role, '/', '::', 'G') ) ■ Dynamic provisioning (no server code added) ■ Safe because linked to certificate
- 16. 16/18www.camptocamp.com / Put itall together! # csr_attributes.yaml --- custom_attributes: 1.2.840.113549.1.9.7: '$ {token}' # in common Puppet profile puppet_certificate { $certname: ensure => valid, waitforcert => 60, renewal_grace_period => 20, clean => true, }
- 17.