search

puppetlabs / puppet-agent

All of the directions for building a puppet agent package.
Other
47 stars 146 forks source link

Allow agent CSR saving to file #2544

Closed pboguslawski closed 2 weeks ago

pboguslawski commented 2 weeks ago

Use Case

Would like to disable all unauthenicated puppetserver API backends and allow to connect only puppet agents with valid client certs to disallow anonymous clients to submit CSR (protection against flooding requests dir and anonymous access to API). CSR/CRT will be transferred with other trusted path between agent and puppetserver (i.e. ssh connection).

Describe the Solution You Would Like

Allow puppet ssl to generate agent's private key and CSR and just save it in files (i.e. /var/lib/puppet/ssl/private_keys/myhost.mydomain.pem and /var/lib/puppet/ssl/certificate_requests/myhost.mydomain.pem) without sending singing request to puppetserver. Maybe with new action puppet ssl generate_request or --no-submit switch in puppet ssl bootstrap action.

Now only private key is saved on puppetserver communication error and CSR is gone.

Describe Alternatives You've Considered

Manually generating CSR (and privkey optionally) with openssl on agent.

Additional Context

Don't like exposing unauthenticated API backends where not absolutely necessary.

joshcooper commented 2 weeks ago

The generate_request command does what you want:

$ bundle exec puppet ssl generate_request --ssldir /tmp/testcsr --certname a.example.com --server puppet.example.com
Notice: Generated certificate request in '/tmp/testcsr/certificate_requests/a.example.com.pem'

$ tree /tmp/testcsr                                                                                      
/tmp/testcsr
├── certificate_requests
│   └── a.example.com.pem
├── certs
├── private
├── private_keys
│   └── a.example.com.pem
└── public_keys

5 directories, 2 files

$ file /tmp/testcsr/certificate_requests/a.example.com.pem
/tmp/testcsr/certificate_requests/a.example.com.pem: PEM certificate request
pboguslawski commented 2 weeks ago

Don't see generate_request in puppet-agent 7.23.0-1 (Debian 12) nor in the newest manual. What puppet version supports it?

BTW: what is --server in your command for (issue is about generating CSR without access to server)?

joshcooper commented 2 weeks ago

Install puppet-agent packages from https://apt.puppet.com/. We're up to 7.31.0 https://www.puppet.com/docs/puppet/7/release_notes_puppet.html#release_notes_puppet_x-7-31-0

The --server command is just to demonstrate it doesn't require a network connection to generate the CSR, because it would fail to connect if it tried.

joshcooper commented 2 weeks ago

I filed https://github.com/puppetlabs/puppet-docs/issues/1159 to get the docs updated