On 24/04/16 04:46, Anthony Clark wrote:
TL;DR: what's the best way to grab a SSL cert and key during kickstart?
(this is all using CentOS 7.2 latest)
I'm using Foreman to manage my kickstart and Puppet services, and its built-in
FreeIPA client enrollment works just fine.
However I'd like to also request a certificate and key for a Puppet client to
use to authenticate to the Foreman-controlled Puppet server.
If I manually set up a puppet client then it works just fine. I use something
# ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name
<http://host.name> %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name
# cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem
(then setting the correct paths and settings in /etc/puppet/puppet.conf)
I tried to make that work inside the Kickstart process, but as those commands
are running inside a kickstart chroot the certmonger service won't start.
Is there a better method to grab a SSL cert and key for the host during
kickstart? Or should I just wait until firstboot and perform the steps at that
Many Thanks and FreeIPA is really amazing!
TL;DR Set DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null in kickstart
chroot environment before calling "ipa-getcert request".
The issue is already addressed by BZ1134497 . When getcert detects
there is no DBus it starts certmonger and communicates over unix socet.
But in Kickstart environment DBus is available but unusable (BZ1271551,
). It can be workaround by setting
DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null (it is described in Doc Text
You can also run ipa-client-install with --request-cert and it will also
request certificate for the client. And also require the workaround in
Kickstart chroot environment. But unlike "ipa-getcert request -w" it
won't wait for the certificate to be issued and fetched.
The reason is that it can take days for certificate to be issued (some
CAs require human approval) so ipa-client-install only submit the
request and doesn't wait for certificate.
After the installation completes and system is started certmonger
periodically query for the certificate and fetch it when available.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project