Hey folks,
I read it's possible to attach Puppet CA to the FreeIPA CA.
The only howtos our there were pretty dated; they either state super old
Puppetserver components (puppet server, which was abolished in like
3.x), CentOS5 or even FreeIPAs inability to run more than one CA.
For the lack of any good/recent howto out there, here are my assumptions:
- I should create a CA for Puppet in FreeIPA. This can be trivially
done via the gui.
Q: It would ask me for a DN on the CA. I would put my FQDN of the
PuppetServer there?
- Create the puppetserver certificate on any node with admin rights:
ipa service-add puppetmaster/$(hostname -f)
ipa service-add puppet/$(hostname -f)
Q: I found the puppet*/* descriptors in some ancient document. I am
unsure if they are still needed or if they are the right ones
for Puppet 6.x+.
Q: How can I request a certificate from a specific CA?
- Then I found this tidbit:
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
yum --nogpgcheck --localinstall
http://passenger.stealthymonkeys.com/fedora/16/passenger-release.noarch.rpm
yum install mod_nss mod_passenger
ipa-client-install --password=secret
systemctl stop puppetmaster.service
ipa-getcert -K
puppetmaster/puppet.example.com
-d /etc/httpd/alias
-n
puppetmaster/puppet.example.com
ipa-getcert -K
puppet/puppet.example.com
-D
puppet.example.com
-k /etc/puppet/ssl/private_keys/puppet.example.com.pem
-f /etc/puppet/ssl/public_keys/puppet.example.com.pem
mkdir -p /var/www/puppet/public
cp /usr/share/puppet/ext/rack/files/config.ru /var/www/puppet
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
(
https://jca.pe/2012/01/16/using-the-freeipa-pki-with-puppet/) from 2012.
Those paths still check out. I would adapt those with the certificate I
got earlier.
Am I on the right track here?
-Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB
alpha-labs.net / \ in eMails
GPG Retrieval
https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.