Issue #7244 has been updated by eric sorenson.
+1 for this, it'd be wonderful to have a hook (external script or a class to
extend) to link autosigning into business logic. The workflow I'm faced with
is:
* new clients should not have to do anything special to get set up with a
functional ssl cert
* re-imaged clients should not have to worry about downloading their previous
incarnation's cert ("certificate does not match private key" error)
The original plan was to use a shared client cert but there are substantial
problems with that. if we go with per-client certificates, the options are to
pre-generate or otherwise escrow the client's private key centrally, deliver it
at bootstrap time and not regenerate it upon re-kick; or permit autosigning but
only to authorized clients, and hook into the autosigning to scrub pre-existing
certs.
----------------------------------------
Feature #7244: Autosign should allow for an external approver
https://projects.puppetlabs.com/issues/7244#change-57749
Author: Matt Wise
Status: Accepted
Priority: Normal
Assignee:
Category: SSL
Target version: Telly
Affected Puppet version:
Keywords: autosign csr ssl
Branch:
Puppet should allow for the autosign code to point to an external script,
instead of the autosign.conf file itself for approval in signing a end-clients
cert. This method should allow the client to supply a unique bit of "auth" data
that is passed to the exec script on the master, and validated. If return 0,
sign the code. If not, do not sign.
In this way, I can pass an arbitrary "token" (say its 12345) through the puppet
agent to the puppet ca master. The puppet ca master can then run
"myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign
the certificate. If not, puppet fails to sign the certificate.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
