Issue #7244 has been updated by Jeff McCune.
Patrick Hemmer wrote: > Attached is a patch (against 3.1.0) which adds an `autosign_command` > parameter to the config. When this parameter is set, the specified external > command will be called when a certificate request comes in. The external > command receives the cert name as a command argument. The command must then > return 0 if the cert should be signed, or non-zero if it should not be signed. > > I have also added a patch to bug #7243 which allows adding extra parameters > to the CSR. > > This code is functional and in use in my own environment. > > Note: An example of what is possible with this. I use it with autoscaled ec2 > instances. The instance uses the patch on bug #7243 to add parameters to the > CSR. It adds the autosigning secret key to verify that the box is > legitimately mine, and the name of the puppet dashboard group the box should > be added to. My autosigning command then adds the server to the puppet > dashboard group. I can provide this script if anyone is interested. Thanks for the patch, could you please submit this as a pull request following our [contributing guide](https://github.com/puppetlabs/puppet/blob/master/CONTRIBUTING.md)? -Jeff ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244#change-83280 Author: Matt Wise Status: Accepted Priority: Normal Assignee: eric sorenson Category: SSL Target version: 3.x Affected Puppet version: Keywords: autosign csr ssl backlog Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
