SlideShare a Scribd company logo

Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained

Puppet
Puppet

This document discusses certificates in Puppet and provides an overview of certificate management. It begins with an introduction to public key infrastructure (PKI) and the X.509 standard used by Puppet. It then covers Puppet certificate structures, filenames, and the REST API. The document also discusses setting up distributed Puppet environments with multiple certificate authorities and replacing a Puppet CA. It emphasizes the importance of security practices and guidelines for certificate lifecycle management.

1 of 59
Download to read offline
Puppet CA: Certificates explained Thomas Gelf - PuppetCamp Düsseldorf 2014
Thomas Gelf, nice to meet you! joined NETWAYS in 2010 formerly more than ten years of... web (application) development routing/switching: bank/ISP backbones ISP: Mail, Hosting, SIP-Carrier, IPv6...
Origins nationality: Italian mother tongue: German kind of. SOUTH TYROLEAN!!!
Me and Puppet first Puppet steps with 0.24 talks, articles, blog posts trainer, consultant over-certified
Me @ PuppetConf 2014 Had a great time, the conference was awesome! PuppetConf 2015 will be in Portland - see you there :)
NETWAYS
Netways and Puppet German Puppet Labs Training Partner Trainings Consulting Workshops
Puppet Trainings http://www.netways.de/training
What this talk is all about certificates puppet certificates REST API distributed environments security issues and their consequences certificate lifecyle
WHY SHOULD I CARE?
Running Puppet Enterprise?
CERTIFICATES
Public Key Infrastructure - PKI everybody has it's own private key signs or encrypts a message verification/decryption uses public key algorithms: RSA, DSA...
PKI - Wikipedia
X.509 describes how our Puppet PKI works https:// - you use it every day ITU-T standard defines a strict hierarchy a tree instead of a "web of trust" X509v3: allows extensions
Certificate structure (distinguished) name serial number algorythm issuer validity: FROM - TO ...
The distinguished name: DN just a string often a DNS name could also be "CA: puppet master" something you should care about!
The revocation list allows to invalidate certificates does so based on serial numbers important if you "loose" certificates
Filename extensions .csr: certificate signing request, Base64 -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- .pem: a certificate, Base64 -----BEGIN CERTIFICATE----- Puppet uses .pem also for private keys: -----BEGIN RSA PRIVATE KEY-----
PUPPET CERTIFICATES
Puppet certificates: archeology Want to see a fresh new Puppet CA? Try it out! mkdir /tmp/ssltest puppet master --no-daemonize --verbose --ssldir /tmp/ssltest --certname test.example.com
Puppet certificates: archeology A fresh new Puppet CA!
Puppet certificates: archeology ls -l /tmp/ssltest
Same thing for the agent puppet agent --test --ssldir /tmp/sslagent --certname test.example.com
We all know the basics puppet cert list puppet cert list --all puppet cert sign test.example.com puppet cert revoke test.example.com puppet cert clean test.example.com find ./ -name 'test.example.com*' --delete
SSL directories puppet master --configprint ssldir puppet agent --configprint ssldir manual configuration makes sense think about user permissions ~/.puppet, /var/lib/puppet master and agent on the same host passenger VS debug (--no-daemonize)
Let's dump a certificate openssl x509 -in testexample.com.pem -noout -text puppet cert print test.example.com
Custom data in your certificates https://docs.puppetlabs.com/puppet/latest/reference /ssl_attributes_extensions.html /etc/puppet/csr_attributes.yaml custom attributes in your CSR
MCollective
Study security guidelines! Study security guidelines! Study security guidelines! STUDY SECURITY GUIDELINES! puppetlabs.com/mcollective/security-overview
Get inspired by existing modules make sure you understood them or write your own ones re-use Puppet certificates read about trust and STUDY THE SECURITY GUIDELINES!
THE REST API
It's a web application! <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+... SSLHonorCipherOrder on SSLCertificateFile $ssldir/certs/$fqdn.pem SSLCertificateKeyFile $ssldir/private_keys/$fqdn.pem SSLCertificateChainFile $ssldir/ca/ca_crt.pem SSLCACertificateFile $ssldir/ca/ca_crt.pem SSLCARevocationFile $ssldir/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData
The Rest API # http://docs.puppetlabs.com/guides/rest_api.html https://master:8140/{environment}/{resource}/{key} available on puppet master and on VERY ancient agents (listen=true)
Puppet REST API URI examples GET /{environment}/catalog/{node certificate name} GET /{environment}/file_bucket_file/md5/{checksum} GET /{environment}/facts/{node certname}
Permissions http://docs.puppetlabs.com/guides/rest_auth_conf.html # auth.conf # allow all nodes to store their own reports path ~ ^/report/([^/]+)$ method save allow $1
SSL-enabled curl example Use your certificates and discover the API: curl --cert /var/lib/puppet/ssl/certs/host.pem --key /var/lib/puppet/ssl/private_keys/host.pem --cacert /var/lib/puppet/ssl/ca/ca_crt.pem -k -H "Accept: yaml" https://master:8140/production/facts/somehostname
DISTRIBUTED SETUP
Puppet Advanced* Training
Configuration for such a setup One CA is more than enough: [master] ca = false [agent] ca_server = ca.example.com Optionally, still experimental: DNS SRV records
Chain of trust Since 3.2.1 you can use intermediate CAs to delegate trust # http://docs.puppetlabs.com/puppet/3/reference # /config_ssl_external_ca.html [agent] ssl_client_ca_auth = $certdir/issuer.pem Tell Apache about your chain: SSLCertificateChainFile "/path/to/ca_bundle.pem"
It could look like this +------------------------+ | Root self-signed CA | +------+----------+------+ | | +----------+ +------------+ | | v v +-----------------+ +----------------+ | Master CA | | Agent CA | +--------+--------+ +--------+-------+ | | v v +-----------------+ +----------------+ | Master SSL Cert | | Agent SSL Cert | +-----------------+ +----------------+
SSL Professional? integrate it in your existing hierarchy use your own toolchain ship signed certificates (carefully)
SECURITY
Puppet and security issues Read Security Disclosures! https://puppetlabs.com/security/
Thank Heartbleed! docs.puppetlabs.com/trouble_remediate _heartbleed_overview.html docs.puppetlabs.com/latest/reference /ssl_regenerate_certificates.html
A specific security problem Very interesting and worth to read: CVE-2011-3872 "In versions prior to 2.6.12 and 2.7.6, the Puppet CA will improperly insert any certdnsnames values into agent certificates as well as master certificates. This bug was introduced in Puppet 0.24.0." puppet master --configprint certdnsnames puppet, puppet.example.com
Study it! http://links.puppetlabs.com/cve20113872_remediation Have a look at the remediation toolkit And to be on the safe side, check your agent certs: openssl x509 -in test.example.com.pem -noout -text | grep 'Subject Alt' -A 1 X509v3 Subject Alternative Name: DNS:test.example.com, DNS:puppet, DNS:puppet.example.com
WARNING "upgrading" doesn't fix a mess like this old certificates would remain valid you have to switch to a new CA... ...and this leads us to the next topic
CA LIFECYCLE MANAGEMENT
Bad news Puppet should allow for automatic resigning of SSL certs http://projects.puppetlabs.com/issues/7272 There is no such thing in Puppet "...will be available with Puppet Sites"
YOU ARE ON YOUR OWN
One way of replacing a CA stop all agents throw away their certificates create a new CA with a new name start your agents sign their new CSRs
CA... master: rm -rf $(puppet master --configprint ssldir) agents: rm -rf $(puppet agent --configprint ssldir) # default ca_name: "Puppet CA: <master certname>" CERTNAME=$(puppet master --configprint certname) TS=$(date +%Y-%m-%d) puppet cert --generate --ca_name "Puppet CA: $CERTNAME <$TS>" $CERTNAME --dns_alt_names puppet,puppet.example.com puppet cert --allow-dns-alt-names sign $CERTNAME
You could also get inspired by the remediation kits write your own SSH loop fix it with MCollective (carefully!) open new feature requests
Don't like trouble? Before generating your CA: [master] ca_ttl = 20y Leave your company in time NB: expiration > 2038-01-19 == bad idea
BTW: WE ARE HIRING ;-)
Thank you for your attention!
Questions? class puppetcamp { package { 'questions': ensure => answered } }

Recommended

Zend Framework 1.8 workshop
Zend Framework 1.8 workshopZend Framework 1.8 workshop
Zend Framework 1.8 workshop
Nick Belhomme
 
DevOps in PHP environment
DevOps in PHP environment DevOps in PHP environment
DevOps in PHP environment
Evaldo Felipe
 
Vagrant move over, here is Docker
Vagrant move over, here is DockerVagrant move over, here is Docker
Vagrant move over, here is Docker
Nick Belhomme
 
PHP Quality Assurance Workshop PHPBenelux
PHP Quality Assurance Workshop PHPBeneluxPHP Quality Assurance Workshop PHPBenelux
PHP Quality Assurance Workshop PHPBenelux
Nick Belhomme
 
Laravel 4 package development
Laravel 4 package developmentLaravel 4 package development
Laravel 4 package development
Tihomir Opačić
 
Caché acelerador de contenido
Caché acelerador de contenidoCaché acelerador de contenido
Caché acelerador de contenidoSandino Araico Sánchez
 
Smoking docker
Smoking dockerSmoking docker
Smoking docker
Workhorse Computing
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
Puppet
 

Recommended

Zend Framework 1.8 workshop
Zend Framework 1.8 workshopZend Framework 1.8 workshop
Zend Framework 1.8 workshop
Nick Belhomme
 
DevOps in PHP environment
DevOps in PHP environment DevOps in PHP environment
DevOps in PHP environment
Evaldo Felipe
 
Vagrant move over, here is Docker
Vagrant move over, here is DockerVagrant move over, here is Docker
Vagrant move over, here is Docker
Nick Belhomme
 
PHP Quality Assurance Workshop PHPBenelux
PHP Quality Assurance Workshop PHPBeneluxPHP Quality Assurance Workshop PHPBenelux
PHP Quality Assurance Workshop PHPBenelux
Nick Belhomme
 
Laravel 4 package development
Laravel 4 package developmentLaravel 4 package development
Laravel 4 package development
Tihomir Opačić
 
Caché acelerador de contenido
Caché acelerador de contenidoCaché acelerador de contenido
Caché acelerador de contenidoSandino Araico Sánchez
 
Smoking docker
Smoking dockerSmoking docker
Smoking docker
Workhorse Computing
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
Puppet
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
Walter Heck
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
David Stockton
 
Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++
Daniele Pallastrelli
 
Debian packaging
Debian packagingDebian packaging
Debian packaging
Dimitris Tsompanidis
 
Teaching Your WAF New Tricks
Teaching Your WAF New TricksTeaching Your WAF New Tricks
Teaching Your WAF New Tricks
Robert Rowley
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1
Vishal Biyani
 
Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014
Puppet
 
Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012
Carlos Sanchez
 
From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011
Carlos Sanchez
 
From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011
Carlos Sanchez
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containers
Ben Hall
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Aucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricksAucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricks
Glen Ogilvie
 
The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.
Workhorse Computing
 
Learn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VMLearn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VM
Kumaran Balachandran
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
Ungooglable
UngooglableUngooglable
Ungooglable
Elizabeth Leddy
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Nicolas Martignole
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
OlinData
 
Puppet Troubleshooting
Puppet TroubleshootingPuppet Troubleshooting
Puppet TroubleshootingPuppet
 

More Related Content

What's hot

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
Walter Heck
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
David Stockton
 
Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++
Daniele Pallastrelli
 
Debian packaging
Debian packagingDebian packaging
Debian packaging
Dimitris Tsompanidis
 
Teaching Your WAF New Tricks
Teaching Your WAF New TricksTeaching Your WAF New Tricks
Teaching Your WAF New Tricks
Robert Rowley
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1
Vishal Biyani
 
Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014
Puppet
 
Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012
Carlos Sanchez
 
From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011
Carlos Sanchez
 
From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011
Carlos Sanchez
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containers
Ben Hall
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Aucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricksAucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricks
Glen Ogilvie
 
The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.
Workhorse Computing
 
Learn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VMLearn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VM
Kumaran Balachandran
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
Ungooglable
UngooglableUngooglable
Ungooglable
Elizabeth Leddy
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Nicolas Martignole
 

What's hot (20)

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
 
Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++
 
Debian packaging
Debian packagingDebian packaging
Debian packaging
 
Teaching Your WAF New Tricks
Teaching Your WAF New TricksTeaching Your WAF New Tricks
Teaching Your WAF New Tricks
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1
 
Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014
 
Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012Puppet for Java developers - JavaZone NO 2012
Puppet for Java developers - JavaZone NO 2012
 
From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011From Dev to DevOps - ApacheCON NA 2011
From Dev to DevOps - ApacheCON NA 2011
 
From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011From Dev to DevOps - Apache Barcamp Spain 2011
From Dev to DevOps - Apache Barcamp Spain 2011
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containers
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Aucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricksAucklug slides - desktop tips and tricks
Aucklug slides - desktop tips and tricks
 
The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.The $path to knowledge: What little it take to unit-test Perl.
The $path to knowledge: What little it take to unit-test Perl.
 
Learn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VMLearn Puppet : Quest Guide for the Learning VM
Learn Puppet : Quest Guide for the Learning VM
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
Ungooglable
UngooglableUngooglable
Ungooglable
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
 

Similar to Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
OlinData
 
Puppet Troubleshooting
Puppet TroubleshootingPuppet Troubleshooting
Puppet TroubleshootingPuppet
 
Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting Puppet
Thomas Howard Uphill
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
Jos Boumans
 
Rapid scaling in_the_cloud_with_puppet
Rapid scaling in_the_cloud_with_puppetRapid scaling in_the_cloud_with_puppet
Rapid scaling in_the_cloud_with_puppetCarl Caum
 
PuppetConf 2015: Puppet API Roundup
PuppetConf 2015: Puppet API RoundupPuppetConf 2015: Puppet API Roundup
PuppetConf 2015: Puppet API Roundup
Jeremy Adams
 
Troubleshooting the Puppet Enterprise Stack
Troubleshooting the Puppet Enterprise StackTroubleshooting the Puppet Enterprise Stack
Troubleshooting the Puppet Enterprise Stack
Puppet
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with Puppet
Alessandro Franceschi
 
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
Puppet
 
Building and Testing Puppet with Docker
Building and Testing Puppet with DockerBuilding and Testing Puppet with Docker
Building and Testing Puppet with Docker
carlaasouza
 
Installaling Puppet Master and Agent
Installaling Puppet Master and AgentInstallaling Puppet Master and Agent
Installaling Puppet Master and AgentRanjit Avasarala
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Puppet: Eclipsecon ALM 2013
Puppet: Eclipsecon ALM 2013Puppet: Eclipsecon ALM 2013
Puppet: Eclipsecon ALM 2013
grim_radical
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Puppet and the HashiStack
Puppet and the HashiStackPuppet and the HashiStack
Puppet and the HashiStack
Bram Vogelaar
 
Test-Driven Puppet Development - PuppetConf 2014
Test-Driven Puppet Development - PuppetConf 2014Test-Driven Puppet Development - PuppetConf 2014
Test-Driven Puppet Development - PuppetConf 2014
Puppet
 
V mware
V mwareV mware
V mwaredvmug1
 

Similar to Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained (20)

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
Puppet Troubleshooting
Puppet TroubleshootingPuppet Troubleshooting
Puppet Troubleshooting
 
Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting Puppet
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Rapid scaling in_the_cloud_with_puppet
Rapid scaling in_the_cloud_with_puppetRapid scaling in_the_cloud_with_puppet
Rapid scaling in_the_cloud_with_puppet
 
PuppetConf 2015: Puppet API Roundup
PuppetConf 2015: Puppet API RoundupPuppetConf 2015: Puppet API Roundup
PuppetConf 2015: Puppet API Roundup
 
Troubleshooting the Puppet Enterprise Stack
Troubleshooting the Puppet Enterprise StackTroubleshooting the Puppet Enterprise Stack
Troubleshooting the Puppet Enterprise Stack
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with Puppet
 
Puppet
PuppetPuppet
Puppet
 
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
Building and Testing from Scratch a Puppet Environment with Docker - PuppetCo...
 
Building and Testing Puppet with Docker
Building and Testing Puppet with DockerBuilding and Testing Puppet with Docker
Building and Testing Puppet with Docker
 
Installaling Puppet Master and Agent
Installaling Puppet Master and AgentInstallaling Puppet Master and Agent
Installaling Puppet Master and Agent
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Puppet: Eclipsecon ALM 2013
Puppet: Eclipsecon ALM 2013Puppet: Eclipsecon ALM 2013
Puppet: Eclipsecon ALM 2013
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Puppet and the HashiStack
Puppet and the HashiStackPuppet and the HashiStack
Puppet and the HashiStack
 
Test-Driven Puppet Development - PuppetConf 2014
Test-Driven Puppet Development - PuppetConf 2014Test-Driven Puppet Development - PuppetConf 2014
Test-Driven Puppet Development - PuppetConf 2014
 
V mware
V mwareV mware
V mware
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
Puppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
Puppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
Puppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
Puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
Puppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
Puppet
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
Puppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
Puppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
Puppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
Puppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
Puppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained

  • 1. Puppet CA: Certificates explained Thomas Gelf - PuppetCamp Düsseldorf 2014
  • 2. Thomas Gelf, nice to meet you! joined NETWAYS in 2010 formerly more than ten years of... web (application) development routing/switching: bank/ISP backbones ISP: Mail, Hosting, SIP-Carrier, IPv6...
  • 3. Origins nationality: Italian mother tongue: German kind of. SOUTH TYROLEAN!!!
  • 4. Me and Puppet first Puppet steps with 0.24 talks, articles, blog posts trainer, consultant over-certified
  • 5. Me @ PuppetConf 2014 Had a great time, the conference was awesome! PuppetConf 2015 will be in Portland - see you there :)
  • 7. Netways and Puppet German Puppet Labs Training Partner Trainings Consulting Workshops
  • 9. What this talk is all about certificates puppet certificates REST API distributed environments security issues and their consequences certificate lifecyle
  • 10. WHY SHOULD I CARE?
  • 13. Public Key Infrastructure - PKI everybody has it's own private key signs or encrypts a message verification/decryption uses public key algorithms: RSA, DSA...
  • 15. X.509 describes how our Puppet PKI works https:// - you use it every day ITU-T standard defines a strict hierarchy a tree instead of a "web of trust" X509v3: allows extensions
  • 16. Certificate structure (distinguished) name serial number algorythm issuer validity: FROM - TO ...
  • 17. The distinguished name: DN just a string often a DNS name could also be "CA: puppet master" something you should care about!
  • 18. The revocation list allows to invalidate certificates does so based on serial numbers important if you "loose" certificates
  • 19. Filename extensions .csr: certificate signing request, Base64 -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- .pem: a certificate, Base64 -----BEGIN CERTIFICATE----- Puppet uses .pem also for private keys: -----BEGIN RSA PRIVATE KEY-----
  • 21. Puppet certificates: archeology Want to see a fresh new Puppet CA? Try it out! mkdir /tmp/ssltest puppet master --no-daemonize --verbose --ssldir /tmp/ssltest --certname test.example.com
  • 22. Puppet certificates: archeology A fresh new Puppet CA!
  • 23. Puppet certificates: archeology ls -l /tmp/ssltest
  • 24. Same thing for the agent puppet agent --test --ssldir /tmp/sslagent --certname test.example.com
  • 25. We all know the basics puppet cert list puppet cert list --all puppet cert sign test.example.com puppet cert revoke test.example.com puppet cert clean test.example.com find ./ -name 'test.example.com*' --delete
  • 26. SSL directories puppet master --configprint ssldir puppet agent --configprint ssldir manual configuration makes sense think about user permissions ~/.puppet, /var/lib/puppet master and agent on the same host passenger VS debug (--no-daemonize)
  • 27. Let's dump a certificate openssl x509 -in testexample.com.pem -noout -text puppet cert print test.example.com
  • 28. Custom data in your certificates https://docs.puppetlabs.com/puppet/latest/reference /ssl_attributes_extensions.html /etc/puppet/csr_attributes.yaml custom attributes in your CSR
  • 30. Study security guidelines! Study security guidelines! Study security guidelines! STUDY SECURITY GUIDELINES! puppetlabs.com/mcollective/security-overview
  • 31. Get inspired by existing modules make sure you understood them or write your own ones re-use Puppet certificates read about trust and STUDY THE SECURITY GUIDELINES!
  • 33. It's a web application! <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+... SSLHonorCipherOrder on SSLCertificateFile $ssldir/certs/$fqdn.pem SSLCertificateKeyFile $ssldir/private_keys/$fqdn.pem SSLCertificateChainFile $ssldir/ca/ca_crt.pem SSLCACertificateFile $ssldir/ca/ca_crt.pem SSLCARevocationFile $ssldir/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData
  • 34. The Rest API # http://docs.puppetlabs.com/guides/rest_api.html https://master:8140/{environment}/{resource}/{key} available on puppet master and on VERY ancient agents (listen=true)
  • 35. Puppet REST API URI examples GET /{environment}/catalog/{node certificate name} GET /{environment}/file_bucket_file/md5/{checksum} GET /{environment}/facts/{node certname}
  • 36. Permissions http://docs.puppetlabs.com/guides/rest_auth_conf.html # auth.conf # allow all nodes to store their own reports path ~ ^/report/([^/]+)$ method save allow $1
  • 37. SSL-enabled curl example Use your certificates and discover the API: curl --cert /var/lib/puppet/ssl/certs/host.pem --key /var/lib/puppet/ssl/private_keys/host.pem --cacert /var/lib/puppet/ssl/ca/ca_crt.pem -k -H "Accept: yaml" https://master:8140/production/facts/somehostname
  • 40. Configuration for such a setup One CA is more than enough: [master] ca = false [agent] ca_server = ca.example.com Optionally, still experimental: DNS SRV records
  • 41. Chain of trust Since 3.2.1 you can use intermediate CAs to delegate trust # http://docs.puppetlabs.com/puppet/3/reference # /config_ssl_external_ca.html [agent] ssl_client_ca_auth = $certdir/issuer.pem Tell Apache about your chain: SSLCertificateChainFile "/path/to/ca_bundle.pem"
  • 42. It could look like this +------------------------+ | Root self-signed CA | +------+----------+------+ | | +----------+ +------------+ | | v v +-----------------+ +----------------+ | Master CA | | Agent CA | +--------+--------+ +--------+-------+ | | v v +-----------------+ +----------------+ | Master SSL Cert | | Agent SSL Cert | +-----------------+ +----------------+
  • 43. SSL Professional? integrate it in your existing hierarchy use your own toolchain ship signed certificates (carefully)
  • 45. Puppet and security issues Read Security Disclosures! https://puppetlabs.com/security/
  • 46. Thank Heartbleed! docs.puppetlabs.com/trouble_remediate _heartbleed_overview.html docs.puppetlabs.com/latest/reference /ssl_regenerate_certificates.html
  • 47. A specific security problem Very interesting and worth to read: CVE-2011-3872 "In versions prior to 2.6.12 and 2.7.6, the Puppet CA will improperly insert any certdnsnames values into agent certificates as well as master certificates. This bug was introduced in Puppet 0.24.0." puppet master --configprint certdnsnames puppet, puppet.example.com
  • 48. Study it! http://links.puppetlabs.com/cve20113872_remediation Have a look at the remediation toolkit And to be on the safe side, check your agent certs: openssl x509 -in test.example.com.pem -noout -text | grep 'Subject Alt' -A 1 X509v3 Subject Alternative Name: DNS:test.example.com, DNS:puppet, DNS:puppet.example.com
  • 49. WARNING "upgrading" doesn't fix a mess like this old certificates would remain valid you have to switch to a new CA... ...and this leads us to the next topic
  • 51. Bad news Puppet should allow for automatic resigning of SSL certs http://projects.puppetlabs.com/issues/7272 There is no such thing in Puppet "...will be available with Puppet Sites"
  • 52. YOU ARE ON YOUR OWN
  • 53. One way of replacing a CA stop all agents throw away their certificates create a new CA with a new name start your agents sign their new CSRs
  • 54. CA... master: rm -rf $(puppet master --configprint ssldir) agents: rm -rf $(puppet agent --configprint ssldir) # default ca_name: "Puppet CA: <master certname>" CERTNAME=$(puppet master --configprint certname) TS=$(date +%Y-%m-%d) puppet cert --generate --ca_name "Puppet CA: $CERTNAME <$TS>" $CERTNAME --dns_alt_names puppet,puppet.example.com puppet cert --allow-dns-alt-names sign $CERTNAME
  • 55. You could also get inspired by the remediation kits write your own SSH loop fix it with MCollective (carefully!) open new feature requests
  • 56. Don't like trouble? Before generating your CA: [master] ca_ttl = 20y Leave your company in time NB: expiration > 2038-01-19 == bad idea
  • 57. BTW: WE ARE HIRING ;-)
  • 58. Thank you for your attention!
  • 59. Questions? class puppetcamp { package { 'questions': ensure => answered } }