November 2013
Read a book (Pro Puppet) and did some collected workshops
root@vhost1:~# echo "deb http://apt.puppetlabs.com wheezy main" > /etc/apt/sources.list.d/puppet.list
root@vhost1:~# apt-get update
root@vhost1:~# apt-get install -y --force-yes puppetlabs-release
root@vhost1:~# rm /etc/apt/sources.list.d/puppet.list
root@vhost1:~# apt-get update
Repeat m.m. on the Debian/Ubuntu clients
-bash-4.1# sudo rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm
Put the FQDN in /etc/hosts
:
<snip> 10.0.17.1 vhost1.xennet vhost1 <snip>
To be sure, the following should succeed:
root@vhost1:~# host
vhost1
root@vhost1:~# host -f
vhost1.xennet
Only then install the packages:
root@vhost1:~# apt-get install -y puppetmaster-passenger puppet-lint puppet-el
On Debian/Ubuntu:
root@vhost1:~# apt-get install -y puppet
On CentOS:
-bash4.1# yum install -y puppet
On a client:
root@vhost2:~# puppet agent -t
There will be no certificate:
root@vhost3:~# puppet agent -t
#Info: Creating a new SSL key for vhost3.xennet
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for vhost3.xennet
Info: Certificate Request fingerprint (SHA256): C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
Exiting; no certificate found and waitforcert is disabled
I.d. for the last client:
-bash-4.1# puppet agent -t
Now on the server, certificate requests will be waiting to be signed. Sign them.
root@vhost1:~# puppet cert list
"vhost2.xennet" (SHA256) 8A:49:F2:DC:4E:C9:BF:4A:2B:85:DB:F1:79:43:A4:39:C7:EB:D7:82:58:AC:BF:33:55:11:81:D2:FA:1F:AC:EC
"vhost3.xennet" (SHA256) C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
"vhost4.xennet" (SHA256) 07:4C:DA:AB:1E:FA:EB:93:74:AC:46:E4:C8:9D:95:F6:3B:98:A8:61:D7:D6:7F:40:21:5D:0F:7D:C8:07:F5:78
root@vhost1:~# puppet cert sign vhost2.xennet
Notice: Signed certificate request for vhost2.xennet
Notice: Removing file Puppet::SSL::CertificateRequest vhost2.xennet at '/var/lib/puppet/ssl/ca/requests/vhost2.xennet.pem'
root@vhost1:~# puppet cert sign vhost3.xennet
root@vhost1:~# puppet cert sign vhost4.xennet
So puppet runs will succeed on the clients:
root@vhost2:~# puppet agent -t
Info: Caching certificate for vhost2.xennet
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for vhost2.xennet
Info: Applying configuration version '1384116519'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.04 seconds
See Learning Puppet — Basic Agent/Master Puppet for more about certificates.
According to Autosigning Client Certificates, to enable autosigning of certificates, you can put a single '*' in /etc/puppet/autosign.conf
:
*
And of course it says you shouldn't do that if you're concerned about security.