Issue #7244 has been updated by Andrew Forgue.
eric sorenson wrote: > Escrow the client's private key centrally, deliver it at bootstrap time and > not regenerate it upon re-kick This is exactly what we do now. We have a sinatra application running on our puppet masters that handles the certificate signing, and we have a manual cURL step for clients to download their certificates out-of-band, put them in the right place, and *then* run puppet. The reason being, is that we check that a host is supposed to be running puppet through various LDAP attributes and validate that the host requesting the Private Key is the actual host (through various methods, since we have a load balancer in front of the puppet masters). Having the ability to control the autosign process would allow us, I think, to get rid of this extra service and handle this all in band-with puppet so we can use the puppet cert commands, etc. So... +1. ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244#change-58449 Author: Matt Wise Status: Accepted Priority: Normal Assignee: Category: SSL Target version: Telly Affected Puppet version: Keywords: autosign csr ssl Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
