Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow agent CSR saving to file #2544

Closed
pboguslawski opened this issue Jun 18, 2024 · 4 comments
Closed

Allow agent CSR saving to file #2544

pboguslawski opened this issue Jun 18, 2024 · 4 comments
Labels
enhancement New feature or enhancement

Comments

@pboguslawski
Copy link

pboguslawski commented Jun 18, 2024
edited
Loading

Use Case

Would like to disable all unauthenicated puppetserver API backends and allow to connect only puppet agents with valid client certs to disallow anonymous clients to submit CSR (protection against flooding requests dir and anonymous access to API). CSR/CRT will be transferred with other trusted path between agent and puppetserver (i.e. ssh connection).

Describe the Solution You Would Like

Allow puppet ssl to generate agent's private key and CSR and just save it in files (i.e. /var/lib/puppet/ssl/private_keys/myhost.mydomain.pem and /var/lib/puppet/ssl/certificate_requests/myhost.mydomain.pem) without sending singing request to puppetserver. Maybe with new action puppet ssl generate_request or --no-submit switch in puppet ssl bootstrap action.

Now only private key is saved on puppetserver communication error and CSR is gone.

Describe Alternatives You've Considered

Manually generating CSR (and privkey optionally) with openssl on agent.

Additional Context

Don't like exposing unauthenticated API backends where not absolutely necessary.
@pboguslawski pboguslawski added the enhancement New feature or enhancement label Jun 18, 2024
@joshcooper
Copy link
Contributor

The generate_request command does what you want:

$ bundle exec puppet ssl generate_request --ssldir /tmp/testcsr --certname a.example.com --server puppet.example.com
Notice: Generated certificate request in '/tmp/testcsr/certificate_requests/a.example.com.pem'

$ tree /tmp/testcsr                                                                                      
/tmp/testcsr
├── certificate_requests
│   └── a.example.com.pem
├── certs
├── private
├── private_keys
│   └── a.example.com.pem
└── public_keys

5 directories, 2 files

$ file /tmp/testcsr/certificate_requests/a.example.com.pem
/tmp/testcsr/certificate_requests/a.example.com.pem: PEM certificate request

@pboguslawski
Copy link
Author

pboguslawski commented Jun 18, 2024
edited
Loading

Don't see generate_request in puppet-agent 7.23.0-1 (Debian 12) nor in the newest manual. What puppet version supports it?

BTW: what is --server in your command for (issue is about generating CSR without access to server)?

@joshcooper
Copy link
Contributor

Install puppet-agent packages from https://apt.puppet.com/. We're up to 7.31.0 https://www.puppet.com/docs/puppet/7/release_notes_puppet.html#release_notes_puppet_x-7-31-0

The --server command is just to demonstrate it doesn't require a network connection to generate the CSR, because it would fail to connect if it tried.

@joshcooper
Copy link
Contributor

I filed puppetlabs/puppet-docs#1159 to get the docs updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshcooper @pboguslawski