A collection of task oriented solutions in Puppet

 

Autosigning Client Certificates

Challenge

You want to autosign any new client certificates that are sent to the puppet master. Be sure to understand the lack of security this presents.

Solution

# find the config directory (as root)
$ puppet config print --section master confdir
/etc/puppet/

# add a wildcard autosign
$ cat /etc/puppet/autosign.conf
*

Explanation

By adding a single * to the autosign.conf file you tell the puppet master to accept the first certificate it sees for each client host. This allows machines to come up on build and immediately connect to puppet and begin their configuration. If you rebuild a machine, or do anything that triggers a change in the clients certificate, the puppet master will not allow the new certificate to connect until the old one has been removed.

The location of the autosign.conf file can vary slightly between puppet packages / deployments so it's often worth confirming its location on disk using the config print functionality:

puppet config print --section master confdir

This must be run as the same user puppet runs under to show the correct location.

To reiterate - having this option enabled may seem like a time saver but the risk is that any machine can connect without authorisation and request your manifests and templates, which may contain privileged information such as passwords, certificates, shared keys etc.

See also