Automating Puppet Certificates Renewal
0 likes74 views
The document discusses automating the renewal of Puppet certificates, outlining steps for CA certificate renewal, the importance of managing agent certificates, and unique renewal tokens. It emphasizes the need for secure autosigning practices and provides scripts for adapting autosign functionality. Additionally, it covers integrating trusted facts for dynamic provisioning and the overall approach to managing Puppet certificates effectively.
![12/19www.camptocamp.com /
Cleaning certificats on CA
■ Required before new certificate
can be generated
■ Requires to tune the CA API in auth.conf
{
name: "Allow nodes to delete their own certificates",
match-request: {
path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$"
type: regex
method: [delete]
},
Allow: "$2",
sort-order: 500
}](https://image.slidesharecdn.com/puppetcertrenewalignite-200702083839/85/Automating-Puppet-Certificates-Renewal-12-320.jpg)
![13/19www.camptocamp.com /
Unique renewal tokens
■ Use hashed token incl. unchangeable trusted facts
■ Sample hashing function (compatible with Terraform's
base64sha256 builtin function)
■ Generate unique token per node in Puppet manifest:
Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args|
Digest::SHA256.base64digest(args[0])
end
# $psk is a secret parameter (e.g. from hiera)
# $certname comes from trusted facts
$token = base64_sha256("${psk}/${certname}")](https://image.slidesharecdn.com/puppetcertrenewalignite-200702083839/85/Automating-Puppet-Certificates-Renewal-13-320.jpg)
![14/19www.camptocamp.com /
Adapt autosign script
#!/usr/bin/env ruby
require 'openssl'
request = STDIN.read
csr = OpenSSL::X509::Request.new(request)
# Don't you love OpenSSL's nested values?
challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value
# Puppetmaster logs include exit code
exit 2 if challenge.nil?
certname = ARGV[0]
hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}")
if challenge == hash
exit 0
end
exit 1](https://image.slidesharecdn.com/puppetcertrenewalignite-200702083839/85/Automating-Puppet-Certificates-Renewal-14-320.jpg)
![15/19www.camptocamp.com /
Throw in certificate extensions
def get_ext(csr, name)
Puppet::SSL::Oids.register_puppet_oids
# Some more OpenSSL nested values
exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value
# Turtles all the way down
val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value
OpenSSL::ASN1.decode(val).value
end
pp_role = get_ext(csr, 'pp_role')
pp_environment = get_ext(csr, 'pp_environment')
hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}")
■ Lock token to specific trusted facts](https://image.slidesharecdn.com/puppetcertrenewalignite-200702083839/85/Automating-Puppet-Certificates-Renewal-15-320.jpg)
![16/19www.camptocamp.com /
Couple with trusted facts provisioning
$role = $::trusted['extensions']['pp_role']
include sprintf(
'::roles_c2c::%s', regsubst($role, '/', '::', 'G')
)
■ Dynamic provisioning (no server code added)
■ Safe because linked to certificate](https://image.slidesharecdn.com/puppetcertrenewalignite-200702083839/85/Automating-Puppet-Certificates-Renewal-16-320.jpg)
Automating Puppet Certificates Renewal
- 1. Automating Puppet Certificates Renewal Raphaël Pinson
- 2. 2/19www.camptocamp.com / Who am I? ■ Raphaël Pinson (@raphink) ○ Infrastructure Developer & Training Leader ○ Augeas & Augeasproviders developer ○ Various contributions to Puppet & Ecosystem
- 3. 3/19www.camptocamp.com / Camptocamp ■ Switzerland / France / Germany ■ Open-source development/integration expert ■ Puppet user and contributor since 2008 ■ Major contributor to the Puppet Forge
- 5. 5/19www.camptocamp.com / CA cert has expired
- 6. 6/19www.camptocamp.com / CA renewal options NEWCAKEY PAIR NEWCACERT FROMKEYPAIR AUTOMATECA CERTDEPLOYMENT AUTOMATEAGENT CERTDEPLOYMENT
- 8. 8/19www.camptocamp.com / puppetlabs/certgen ■ Install from Puppet Forge mod 'puppetlabs-certregen', '0.2.0' ■ Regenerate CA cert $ sudo puppet certregen ca ca_serial 01– ■ Deploy new CA cert (before it expires!) include certregen::client
- 9. 9/19www.camptocamp.com / How about agent certificates?
- 10. 10/19www.camptocamp.com / Certificate autosign ■ autosign.conf ○ Insecure by design ○ Don't use ■ Autosign policy ○ (possibly) secure autosigning ○ Use psk, unique tokens, etc. ○ See also danieldreier/puppet-autosign
- 11. 11/19www.camptocamp.com / The puppet_certificate type ■ Automate Puppet certificate generation ■ Manage with Puppet manifests
- 12. 12/19www.camptocamp.com / Cleaning certificats on CA ■ Required before new certificate can be generated ■ Requires to tune the CA API in auth.conf { name: "Allow nodes to delete their own certificates", match-request: { path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$" type: regex method: [delete] }, Allow: "$2", sort-order: 500 }
- 13. 13/19www.camptocamp.com / Unique renewal tokens ■ Use hashed token incl. unchangeable trusted facts ■ Sample hashing function (compatible with Terraform's base64sha256 builtin function) ■ Generate unique token per node in Puppet manifest: Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args| Digest::SHA256.base64digest(args[0]) end # $psk is a secret parameter (e.g. from hiera) # $certname comes from trusted facts $token = base64_sha256("${psk}/${certname}")
- 14. 14/19www.camptocamp.com / Adapt autosign script #!/usr/bin/env ruby require 'openssl' request = STDIN.read csr = OpenSSL::X509::Request.new(request) # Don't you love OpenSSL's nested values? challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value # Puppetmaster logs include exit code exit 2 if challenge.nil? certname = ARGV[0] hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}") if challenge == hash exit 0 end exit 1
- 15. 15/19www.camptocamp.com / Throw in certificate extensions def get_ext(csr, name) Puppet::SSL::Oids.register_puppet_oids # Some more OpenSSL nested values exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value # Turtles all the way down val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value OpenSSL::ASN1.decode(val).value end pp_role = get_ext(csr, 'pp_role') pp_environment = get_ext(csr, 'pp_environment') hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}") ■ Lock token to specific trusted facts
- 16. 16/19www.camptocamp.com / Couple with trusted facts provisioning $role = $::trusted['extensions']['pp_role'] include sprintf( '::roles_c2c::%s', regsubst($role, '/', '::', 'G') ) ■ Dynamic provisioning (no server code added) ■ Safe because linked to certificate
- 17. 17/19www.camptocamp.com / Put it all together! # csr_attributes.yaml --- custom_attributes: 1.2.840.113549.1.9.7: '$ {token}' # in common Puppet profile puppet_certificate { $certname: ensure => valid, waitforcert => 60, renewal_grace_period => 20, clean => true, }