{"id":516,"date":"2017-06-30T08:06:26","date_gmt":"2017-06-30T16:06:26","guid":{"rendered":"http:\/\/andrewwippler.com\/?p=516"},"modified":"2017-06-30T08:10:58","modified_gmt":"2017-06-30T16:10:58","slug":"autosign-puppet-certificates-on-aws","status":"publish","type":"post","link":"https:\/\/andrewwippler.com\/2017\/06\/30\/autosign-puppet-certificates-on-aws\/","title":{"rendered":"Autosign Puppet certificates on AWS"},"content":{"rendered":"

Let’s face it, Puppet’s method of certificates is a pain and huge administration overkill if done manually. Thankfully, puppet has designed several methods of auto-signing certificates. One of which is via crafting a special certificate signing request and verifying the certificate signing request is genuine.<\/p>\n

On the puppet master<\/h2>\n

Apply the following code on your puppet master. This will set up the autosign script which will verify your custom certificate signing request. If the CSR is genuine, the puppet master will sign the certificate.<\/p>\n

  service { 'puppetserver':\n    ensure => running,\n    enable => true,\n  }\n\n# The file must have execute permissions\n# The master will trigger this as `\/etc\/puppetlabs\/puppet\/autosign.sh FQDN`\n  file { '\/etc\/puppetlabs\/puppet\/autosign.sh':\n    ensure  => file,\n    mode    => '0750',\n    owner   => 'puppet',\n    group   => 'puppet',\n    content => '#!\/bin\/bash\nHOST=$1\nopenssl req -noout -text -in \"\/etc\/puppetlabs\/puppet\/ssl\/ca\/requests\/$HOST.pem\" | grep pi0jzq9qmabtnTa8KfkBs2z5rQZ3vZsa',\n  }\n\n# This sets up the required ini setting and restarts the puppet master service\n  ini_setting {'autosign nodes':\n    ensure  => present,\n    path    => '\/etc\/puppetlabs\/puppet\/puppet.conf',\n    section => 'master',\n    setting => 'autosign',\n    value   => '\/etc\/puppetlabs\/puppet\/autosign.sh',\n    notify  => Service['puppetserver'],\n    require => File['\/etc\/puppetlabs\/puppet\/autosign.sh']\n  }<\/code><\/pre>\n
On the agents<\/h2>\n
With our puppet master ready to go, we need to set up our agents to generate the custom certificate request. This can be done by editing \/etc\/puppetlabs\/puppet\/csr_attributes.yaml<\/code> before running puppet with the following content:<\/p>\n
custom_attributes:\n    1.2.840.113549.1.9.7: pi0jzq9qmabtnTa8KfkBs2z5rQZ3vZsa\nextension_requests:\n    pp_instance_id: $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/instance-id)\n    pp_image_name:  $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/ami-id)\n<\/code><\/pre>\n
Note: The 1.2.840.113549.1.9.7<\/code> value must match the item you are grepping for in the autosigning request. This specific value in the certificate is reserved for purposes such as this.<\/p>\n
Execution<\/h2>\n
With everything in place, the way to execute this successfully is to pass in the below as the userdata script when creating an EC2 instance:<\/p>\n
#!\/bin\/sh\nif [ ! -d \/etc\/puppetlabs\/puppet ]; then\n   mkdir \/etc\/puppetlabs\/puppet\nfi\ncat > \/etc\/puppetlabs\/puppet\/csr_attributes.yaml << YAML\ncustom_attributes:\n    1.2.840.113549.1.9.7: pi0jzq9qmabtnTa8KfkBs2z5rQZ3vZsa\nextension_requests:\n    pp_instance_id: $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/instance-id)\n    pp_image_name:  $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/ami-id)\nYAML\n<\/code><\/pre>\n
An alternative method is to create a custom AMI (especially for auto-scaling groups). I use the below puppet code to create my golden AMI.<\/p>\n
  cron { 'run aws_cert at reboot':\n    command => '\/aws_cert.sh',\n    user    => 'root',\n    special => 'reboot',\n    require => File['\/aws_cert.sh'],\n  }\n\n  file { '\/aws_cert.sh':\n    ensure  => file,\n    mode    => '0755',\n    content => '#!\/bin\/sh\nif [ ! -d \/etc\/puppetlabs\/puppet ]; then\n   mkdir \/etc\/puppetlabs\/puppet\nfi\ncat > \/etc\/puppetlabs\/puppet\/csr_attributes.yaml << YAML \ncustom_attributes: \n  1.2.840.113549.1.9.7: pi0jzq9qmabtnTa8KfkBs2z5rQZ3vZsa \nextension_requests: \n  pp_instance_id: $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/instance-id) \n  pp_image_name: $(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/ami-id) \nYAML \n\nexport CERTNAME=\"aws-node_name-`date +%s`\" \n\n\/opt\/puppetlabs\/bin\/puppet apply -e \"ini_setting {\\\"certname\\\": \\ ensure => present, \\\n  path => \\\"\/etc\/puppetlabs\/puppet\/puppet.conf\\\", \\\n  section => \\\"main\\\", \\\n  setting => \\\"certname\\\", \\\n  value   => $CERTNAME, \\\n  }\"\n\n\/opt\/puppetlabs\/bin\/puppet agent -t -w 5',\n  }\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Let’s face it, Puppet’s method of certificates is a pain and huge administration overkill if done manually. Thankfully, puppet has designed several methods of auto-signing certificates. One of which is via crafting a special certificate signing request and verifying the certificate signing request is genuine. On the puppet master Apply the following code on your […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[6,55],"tags":[17,16,60,34,18,22,26,35,33],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/516"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=516"}],"version-history":[{"count":3,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/516\/revisions"}],"predecessor-version":[{"id":519,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/516\/revisions\/519"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}