Featured Post

Directory environments in Puppet

Environments are individual groups of Puppet agents each environment have there own completely different manifests and module-paths. This basically is useful for testing changes to our Puppet code before implementing them on production machines. There are two types of implementation of environments structure in Puppet one if directory based and another is config file based here we will see bit of an insight about directory based. As usual for more information about this you can visit puppetlabs official website. On the master node: Append following details in puppet.conf which is placed under /etc/puppet or /etc/puppetlabs/puppet:     Under [main] section add a variable called confdir with value as /etc/puppet or /etc/puppetlabs/puppet     confdir=/etc/puppet Then add information regarding environments/manifests and modulepath in it.      #environments     environmentpath = $confdir/environments     default_manfiest = $confdir/manifests     basemodulepath =
Post a Comment

puppet cert???

*Cert sub-command in Puppet "puppet cert"*

It is a utility that manage certificates and requests related to it.

The main purpose of this utility are:
1. Generating certificates.
2. Signing certificate requests from puppet clients/agents.

As not a single client/agent can communicate with the puppet master with out a signed certificate this is the most important thing.

If in-case you want the revoke the certificate for the node you can use the option as clean this will remove all the information related to that particular host from the puppet cert's storage. Make sure you are revoking the correct certificate because it is nearly impossible to un-revoke the certificate but there is a other other way around[will discuss this is later part].

[root@puppet ~]# puppet cert clean rhel6.sunny.com
notice: Revoked certificate with serial 4
notice: Removing file Puppet::SSL::Certificate rhel6.sunny.com at '/var/lib/puppet/ssl/ca/signed/rhel6.sunny.com.pem'
notice: Removing file Puppet::SSL::Certificate rhel6.sunny.com at '/var/lib/puppet/ssl/certs/rhel6.sunny.com.pem'
[root@puppet ~]#
After revoking the certificate from the master's side now if you try to run puppet agent --test on the agent node it will throw you some error as "SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked".

If you want to see what all certificates are there in puppet master [signed and unsigned]. You can use the option list --all.

[root@puppet requests]# puppet cert list --all
  "rhel7.sunny.com"     (B9:45:D8:5E:7A:5A:1B:82:40:73:E7:72:BA:1A:57:30)
+ "fedora20"            (AE:57:40:F6:FC:E1:CD:DD:ED:EE:1E:8C:A7:81:0D:76)
+ "kubuntu14.sunny.com" (20:6B:A1:E2:A3:DE:B1:95:C8:80:4C:B4:27:2B:C0:A2)
+ "puppet.sunny.com"    (68:12:76:3C:D0:F8:0D:2D:8B:2B:40:E7:49:2D:55:5B) (alt names: "DNS:puppet", "DNS:puppet.sunny.com")
[root@puppet requests]#

The "+" sign in the prefix means that the certificate is signed.
The " " means the certificate is not signed yet.

For listing all the unsigned certificate requests you can use the option as list.

[root@puppet requests]# puppet cert list
  "rhel7.sunny.com" (B9:45:D8:5E:7A:5A:1B:82:40:73:E7:72:BA:1A:57:30)
[root@puppet requests]#

Now you want to sign the certificate request from "rhel7.sunny.com" so that this agent can communicate with the puppet master you can use the option --sign.

[root@puppet requests]# puppet cert --sign rhel7.sunny.com
notice: Signed certificate request for rhel7.sunny.com
notice: Removing file Puppet::SSL::CertificateRequest rhel6.sunny.com at '/var/lib/puppet/ssl/ca/requests/rhel6.sunny.com.pem'
[root@puppet requests]#

By using the option --print you can see the full text version of host's certificate.

[root@puppet requests]# puppet cert --print rhel6.sunny.com
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9 (0x9)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: puppet.sunny.com
        Validity
            Not Before: Sep  8 14:39:48 2014 GMT
            Not After : Sep  8 14:39:48 2019 GMT
        Subject: CN=rhel6.sunny.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a2:2d:f7:04:01:8c:4b:aa:77:99:2b:7e:e5:82:
                    e5:1f:cb:47:7a:e4:7b:53:71:aa:03:70:90:82:fc:
                    73:ff:ed:51:a1:e6:fc:60:9e:c7:19:e5:4a:6f:71:
                    39:eb:33:60:a2:30:93:06:56:e4:52:11:a9:51:48:
                    01:72:73:5f:a8:63:4f:22:90:c1:a3:96:70:d5:ef:
                    f9:95:7a:69:bc:47:6f:de:e0:d9:58:f1:25:85:ec:
                    27:82:b1:85:ef:10:e1:96:3a:97:62:24:d2:32:02:
.................
.................
[root@puppet requests]#

By using the option --fingerprint you can see DIGEST (defaults to md5) fingerprint of a host's certificate.

[root@puppet puppet]# puppet cert --fingerprint rhel6.sunny.com
rhel6.sunny.com 0C:D8:22:E4:6F:A4:AE:21:55:F9:93:06:34:6A:25:BE
[root@puppet puppet]#

Un-revoke the revoked certificate in Puppet

Comments

Post a Comment

Popular posts from this blog

Exec in Puppet

Exec is a very useful resource type present in Puppet which is used to executes external commands. Puppet basically runs as a daemon in which it executes every 30 mins. So while writing an exec resource type make sure that the exec resource must be able to run multiple times without causing any harm to the machine i.e. it must be idempotent. Suppose you just want to run a command like reload a service for that what you can do is? exec { "reload httpd": command => "service httpd reload", path => "/usr/local/bin/:/bin/:/sbin/", } Lets break this line by line: exec { "reload httpd": This specifies that the resource type is exec type and has a human readable name as "reload httpd". command => "service httpd reload", This specified which command to execute when puppet is executed. path => "/usr/local/bin/:/bin/:/sbin/", This specifies where the binary service can be found in your mac
Read more

Un-revoke the revoked certificate in Puppet

If you revoked or deleted the puppet agent’s certificate accidentally. Basically it is nearly impossible un-revoke a certificate. The solution is to recover all revoked certificates then revoke other certificates which don’t need to be recovered. But if in-case you have thousands of revoked certificates then its a bit lengthy process. Second one is to generate a new certificate for the client/agent and get that signed by the puppet master.  List of all the certificates which are signed at the moment:  [root@puppet requests]# puppet cert list --all + "fedora20"            (AE:57:40:F6:FC:E1:CD:DD:ED:EE:1E:8C:A7:81:0D:76) + "kubuntu14.sunny.com" (20:6B:A1:E2:A3:DE:B1:95:C8:80:4C:B4:27:2B:C0:A2) + "puppet.sunny.com"    (68:12:76:3C:D0:F8:0D:2D:8B:2B:40:E7:49:2D:55:5B) (alt names: "DNS:puppet", "DNS:puppet.sunny.com") + "rhel6.sunny.com"     (DC:6E:B1:FC:27:1D:7A:2A:85:E7:3E:3A:24:8B:64:D3) [root@puppet requests]# N
Read more

Dry run in Puppet --noop

 Dry run in puppet is a powerful feature given by puppet. This basically is used to test your Puppet manifests on any of the environment without actually making any changes to the machine. To dry-run Puppet, --noop flag needs to be used. Puppet’s ‘noop’ (no-operation) mode shows you what would happen, but actually doesn’t do anything :) This basically helps us for debugging stuff. For instance: [root@puppet manifests]# puppet apply site.pp --noop notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value {md5}e81452ad78198a79772447b1f2b3b614, should be {md5}e2d690ebe349d93efa84146eb854c987 (noop) notice: Class[Sudo]: Would have triggered 'refresh' from 1 events notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: current_value stopped, should be running (noop) notice: Class[Ssh::Service]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 2 events notice: Finished catalog run in 2.75 seco
Read more