Issue #7272 has been updated by Matt Wise.
Trevor, For what its worth, I gave up on this a long time ago.. I'm not sure why but the Puppet team doesn't really see this as a priority as far as I can tell. Since valid-SSL certificates are of the utmost importance in my environments, we implemented our own system for this. On our puppet masters we run a little Python+Django based API that Apache provides access to only for clients with current and valid SSL certificates. At this API, a remote client can submit its CSR and ask for a new cert. If the CSR matches the current client certificate, and a few other sanity checks pass, the puppet master will sign and pass-back the certificate to the client. The client then restarts its Puppet agent, and all is happy. I've been using this model through two different companies now and it works pretty well. Our clients expire their certs every 30 days, so at around day 25 they start requesting a new cert. THis is not the ideal system because it requires that we maintain two different sets of SSL index files, and this additional WSGI process on the puppet master... but it does work for us pretty well. It of course also requires that the clients run a script regularly to check whether their SSL cert is about to expire, and request a new one at some threshold. ---------------------------------------- Feature #7272: Puppet should allow for *automatic resigning* of SSL certs https://projects.puppetlabs.com/issues/7272#change-63472 Author: Matt Wise Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 3.x Affected Puppet version: Keywords: Branch: Since Puppet acts as an SSL 'factory' anyways, it should be a bit more full featured and offer a resigning capability to existing validated clients. In our environment we've cobbled together a system where the clients check regularly that their SSL cert is still valid. If its going to be not-valid within X days, they start checking in with a CGI script on the puppet ca master. When they connect, they supply their original CSR (found in /var/lib/puppet) and the CGI script handles some validation of that CSR, and then signs a new certificate with that data. This is a kludge that should be built into Puppet. I propose the following workflow.. 1) Puppet Agent runs... before even connecting to the server, it determines whether or not its SSL certificate is going to expire within XX days. If it is ... 2) Puppet agent supplies original CSR (thats still in /var/lib/puppet) to puppet ca server, and requests a resigning. If resigning is enabled on the puppet server ... 3) Puppet server resigns the cert, deletes the old cert and immediately invalidates its serial #. Server then passes the new Cert back to the client... 4) Client re-starts essentially with the new cert and begins its real puppet run. This functionality allows for Puppet certs to be extremely short-lived... you could actually let certs expire after as little as a day or two if you wanted, and Puppet would handle all of the resigning. Any client that 'doesnt check in' would simply have its cert expire, and would have to be fixed manually. (ps, i think its critical that the client resupplies the CSR to the server.. rather than the ca server looking for the original CSR. this allows for multiple puppet ca servers, which is pretty critical in large environments) (pps, the only reason we havnt finished our migration to a multi-ca-master environment is the CRL... ideally if i could tell each of my puppet masters about the others, they could all keep their CRLs in-sync with eachother) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
