search

voxpupuli / puppet-r10k

Setup and configure r10k for use with git based environments in puppet
https://forge.puppet.com/puppet/r10k
Apache License 2.0
98 stars 168 forks source link

(Feature) Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem #140

Open elyscape opened 9 years ago

elyscape commented 9 years ago

Currently, the webhook defaults to using the pe-internal-peadmin-mcollective-client SSL certificate. It would make more sense to generate an SSL cert specifically for the webhook.

acidprime commented 9 years ago

I totally agree on this one , adding this to 4.0 milestone

rnelson0 commented 8 years ago

In the meantime, the readme points to public_key_path => '/etc/mcollective/server_public.pem', # Mandatory for FOSS which is not part of the puppet-agent FOSS package. There are a number of other pem files available, is a pair of these suitable to use instead?

[root@puppet ~]# find / -name *.pem
/opt/puppetlabs/puppet/ssl/cert.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/GeoTrustGlobalCA.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/net-ssh-2.9.2/net-ssh-public_cert.pem
/etc/vmware-tools/GuestProxyData/server/key.pem
/etc/vmware-tools/GuestProxyData/server/cert.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/tls/cert.pem
/etc/puppetlabs/puppet/ssl/private_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/puppetlabs/puppet/ssl/crl.pem
/etc/puppetlabs/puppet/ssl/public_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
/etc/puppetlabs/puppet/ssl/ca/signed/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
/etc/puppetlabs/puppet/ssl/ca/ca_key.pem
/etc/puppetlabs/puppet/ssl/ca/ca_pub.pem
/etc/puppetlabs/puppetdb/ssl/private.pem
/etc/puppetlabs/puppetdb/ssl/ca.pem
/etc/puppetlabs/puppetdb/ssl/public.pem
rnelson0 commented 8 years ago

@acidprime @elyscape I was able to use the puppetdb private/public pair (it didn't like the master's public/private). If someone can point me at how to generate the pem files properly, I'd be glad to get started on this.

rnelson0 commented 8 years ago

For reference, the puppetdb package in PC1 installation creates the pem files, so you can order it by adding this to your profile containing r10k:

Package['puppetdb'] ->  Service[webhook]
kscherer commented 7 years ago

I was able to make the webhook (r10k 2.5.1 with module v4.0.2) work with FOSS (puppetserver 2.7.2) and the puppet certs using the following:

  class {'r10k::webhook::config':
    protected        => false,
    public_key_path  => "/etc/puppetlabs/puppet/ssl/ca/signed/${facts['fqdn']}.pem",
    private_key_path => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['fqdn']}.pem",
    notify           => Service['webhook'],
  }

I also set the webhook user to puppet and it works once I changed the ownership of cache and environment files.

Note: The puppetdb certs are owned by puppetdb with 0600 permissions and are not visible to the puppet user so using the puppetdb certs will require the webhook running as root user.

alexjfisher commented 7 years ago

Sorry, I referenced this issue by mistake in one of my commits.