Closed pboguslawski closed 2 weeks ago
The generate_request
command does what you want:
$ bundle exec puppet ssl generate_request --ssldir /tmp/testcsr --certname a.example.com --server puppet.example.com
Notice: Generated certificate request in '/tmp/testcsr/certificate_requests/a.example.com.pem'
$ tree /tmp/testcsr
/tmp/testcsr
├── certificate_requests
│ └── a.example.com.pem
├── certs
├── private
├── private_keys
│ └── a.example.com.pem
└── public_keys
5 directories, 2 files
$ file /tmp/testcsr/certificate_requests/a.example.com.pem
/tmp/testcsr/certificate_requests/a.example.com.pem: PEM certificate request
Don't see generate_request
in puppet-agent 7.23.0-1 (Debian 12) nor in the newest manual. What puppet version supports it?
BTW: what is --server
in your command for (issue is about generating CSR without access to server)?
Install puppet-agent packages from https://apt.puppet.com/. We're up to 7.31.0 https://www.puppet.com/docs/puppet/7/release_notes_puppet.html#release_notes_puppet_x-7-31-0
The --server
command is just to demonstrate it doesn't require a network connection to generate the CSR, because it would fail to connect if it tried.
I filed https://github.com/puppetlabs/puppet-docs/issues/1159 to get the docs updated
Use Case
Would like to disable all unauthenicated puppetserver API backends and allow to connect only puppet agents with valid client certs to disallow anonymous clients to submit CSR (protection against flooding requests dir and anonymous access to API). CSR/CRT will be transferred with other trusted path between agent and puppetserver (i.e. ssh connection).
Describe the Solution You Would Like
Allow
puppet ssl
to generate agent's private key and CSR and just save it in files (i.e./var/lib/puppet/ssl/private_keys/myhost.mydomain.pem
and/var/lib/puppet/ssl/certificate_requests/myhost.mydomain.pem
) without sending singing request to puppetserver. Maybe with new actionpuppet ssl generate_request
or--no-submit
switch inpuppet ssl bootstrap
action.Now only private key is saved on puppetserver communication error and CSR is gone.
Describe Alternatives You've Considered
Manually generating CSR (and privkey optionally) with openssl on agent.
Additional Context
Don't like exposing unauthenticated API backends where not absolutely necessary.