Estendere la validità di un certificato CA SSL di un Puppet Master

From RVM Wiki
Jump to navigation Jump to search
Attenzione questo articolo è ancora incompleto.
Sentiti libero di contribuire cliccando sul tasto edit.

Senza rigenerazione dei certificati

  • Metodo da testare: estende la validità del certificato CA
Renew Puppet CA cert.

Not the perfect idea, but should alleviate the need to resign every cert.

What you need from existing puppet ssl directory:
ca/ca_crt.pem
ca/ca_key.pem

Create an openssl.cnf:
[ca]
  default_ca     = CA_default            # The default ca section
 
[CA_default]
  database       = ./index.txt           # index file.
  new_certs_dir  = ./newcerts            # new certs dir 

  certificate    = ./ca/ca_crt.pem
  serial         = ./serial
  default_md     = sha1                  # md to use 
  policy         = CA_policy             # default policy
  email_in_dn    = no                    # Don't add the email
  name_opt       = ca_default            # SubjectName display option
  cert_opt       = ca_default            # Certificate display option
  x509_extensions = CA_extensions

[CA_policy]
  countryName            = optional
  stateOrProvinceName    = optional
  organizationName       = optional
  organizationalUnitName = optional
  commonName             = supplied
  emailAddress           = optional 

[CA_extensions]
  nsComment            = "Puppet Cert: manual."
  basicConstraints     = CA:TRUE
  subjectKeyIdentifier = hash
  keyUsage             = keyCertSign, cRLSign

Create an empty index.txt file, and a new serial number 00
mkdir newcerts
touch index.txt
echo 00 > serial



Converting existing certificate to a CSR and resign certificate: 
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf 

Verify new cert vs. old cert:
openssl x509 -text -noout -in certs/ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: pe-master
        Validity
            Not Before: Apr  4 09:21:26 2011 GMT
            Not After : Apr  2 09:21:26 2016 GMT
        Subject: CN=Puppet CA: pe-master

openssl x509 -text -noout -in newcert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: pe-master
        Validity
            Not Before: May 22 19:08:44 2011 GMT
            Not After : May 19 19:08:44 2021 GMT
        Subject: CN=Puppet CA: pe-master

Make sure the new CA certificate validates existing certificate:
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem  
certs/foo.pem: OK
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem
certs/foo.pem: OK

Replace existing ca cert with new cert.
cd /etc/puppetlabs/puppet/ssl
cp ca/ca_crt.pem{,.bak}
cp newcert.pem ca/ca_crt.pem

Remove CA.pem cert on agent, and it should fetch new ca certificate:
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem
puppet agent -t --noop
info: Caching certificate for ca
...

Riferimenti

Con rigenerazione di tutti i certificati

  • Questo modo costringe alla cancellazione e rigenerazione di tutti certificati sui client

Rigenerazione CA e certificato Puppet master

  • Rimuovere tutti i certificati sul puppet master:
sudo /etc/init.d/puppet stop
cd /var/lib/puppet/ssl &&  sudo rm -mv /var/lib/puppet/ssl/* /tmp && sudo rm -rf /var/lib/puppet/ssl/*
  • Impostare la validità di tutti i certificati (CA inclusa)
sudoedit /etc/puppet/puppet.conf

[master]
ca_ttl = 20y
  • Generare la nuova CA
sudo puppet cert list -a

Notice: Signed certificate request for ca.


  • Generare il nuovo certificato per il Master:
 udo puppet master --no-daemonize --verbose.

Notice: Starting Puppet master <your Puppet version>

CTRL + C.
  • Avviare il puppet master o riavviare apache se sottopassenger
/etc/init/apache2 restart


Installazione dei certificati in PuppetDB

  • Copiare i nuovi certificati:
cd /etc/puppetdb/
sudo  cp /var/lib/puppet/ssl/certs/ca.pem ca.pem
cp /var/lib/puppet/ssl/certs/puppet.example.priv.pem public.pem
cp /var/lib/puppet/ssl/private_keys/puppet.example.priv.pem /etc/puppetdb/ssl/private.pem

sudo /etc/init.d/puppetdb stop
sudo /etc/init.d/puppetdb start
tail -f /var/log/puppetdb/puppetdb.log

Rigenerazione certificati sui Client

  • Sui client servername.example.priv, rigenerare i certificati:
 sudo /etc/init.d/puppet stop
 cd /var/lib/puppet/ssl &&  sudo rm -mv /var/lib/puppet/ssl/* /tmp && sudo rm -rf /var/lib/puppet/ssl/*
  • Sul server firmare il certificato:
sudo puppet cert sign servername.example.priv
  • Oppure impostare temporaneamente sul master:
 sudoedit /etc/puppet/puppet.conf

[master]
autosign=true

/etc/init/apache2 restart


Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Estendere_la_validità_di_un_certificato_CA_SSL_di_un_Puppet_Master&oldid=10050"