Jump to: navigation, search

Howto/Using FreeIPA CA for Puppet

Following/updating this (a bit outdated) blog post along with Puppet Labs' instructions on setting up Puppet with an external Certificate Authority.

Initial Setup

  1. Need three Fedora 19 machines: IPA Server (ipaserver.example.com), Puppet Master (puppetmaster.example.com), Puppet Agent (puppet.example.com).
  2. Set up the IPA Server on one machine (yum install freeipa-server; ipa-server-install). Be sure that the firewall is setup appropriately.
  3. Enrolled the other two machines as IPA clients(yum install freeipa-client; ipa-client-install). Be sure that the firewall is setup appropriately.
  4. On the IPA Server, or if one of the clients has freeipa-admintools installed:

    # create the puppet master service
    $ ipa service-add puppetmaster/puppetmaster.example.com
    # create the puppet agent service
    $ ipa service-add puppet/puppet.example.com

Puppet Master setup

On the machine for the Puppet Master:

  1. Installation:

    # install latest puppet-server
    # (yum install puppet-server is a couple minor versions behind)
    # version 3.2 fixes a CA bug that isn't in the yum repo
    $ rpm -ivh http://yum.puppetlabs.com/fedora/f19/products/i386/puppetlabs-release-19-2.noarch.rpm
    $ yum install -y http://yum.puppetlabs.com/fedora/f19/products/x86_64/puppet-server-3.2.4-1.fc19.noarch.rpm
    # stop the puppetmaster service since we'll be using apache
    $ service puppetmaster stop
    # install additional requirements
    $ yum install -y mod_nss mod_passenger
  2. Setting up the certificates:

    # now grab the certs for the master
    $ ipa-getcert request -K puppetmaster/puppetmaster.example.com 
                           -d /etc/httpd/alias 
                           -n puppetmaster/puppetmaster.example.com
    # identify where to put the public, private, and CA pem files for host:
    $ puppet master --configprint hostcert
    /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem
    $ puppet master --configprint hostprivkey
    /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem
    $ puppet master --configprint localcacert
    /var/lib/puppet/ssl/certs/ca.pem            
    # you may need to create the above directories      
    # grab the public key for host and place it in the appropriate directory
    $ certutil -L -d /etc/pki/nssdb 
               -a -n "IPA Machine Certificate - puppetmaster.example.com" > 
               /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem
    # if there's an error about the directory, set SELinux to permissive for the
    # certutil commands, then you can return it to enforce.
    # grab the private key for host and place it in the appropriate directory
    # if/when prompted for a password, this is the same admin password that you used to setup IPA
    $ certutil -K -d /etc/pki/nssdb -a
    $ pk12util -o keys.p12 
               -n "IPA Machine Certificate - puppetmaster.example.com"
               -d /etc/pki/nssdb
    $ openssl pkcs12 -in keys.p12 
                       -out /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem 
                       -nodes
    # export IPA's CA in the localcacert directory
    $ certutil -L -d /etc/pki/nssdb 
               -a -n "IPA CA" > /var/lib/puppet/ssl/certs/ca.pem
  3. Setup rack/passenger

    $ mkdir -p /var/www/puppet/public
    $ cp /usr/share/puppet/ext/rack/files/config.ru /var/www/puppet
  4. Setup the master configuration in /etc/puppet/puppet.conf by adding:

    [master]
        ca = false
        certificate_revocation = false
        certname = 'puppetmaster.example.com'
  5. Setup NSS in /etc/httpd/conf.d/nss.conf:

    LoadModule          nss_module modules/libmodnss.so
    AddType             application/x-x509-ca-cert .crt
    AddType             application/x-pkcs7-crl    .crl
    NSSPassPhraseDialog     builtin
    NSSPassPhraseHelper     /usr/sbin/nss_pcache
    NSSSessionCacheSize     10000
    NSSSessionCacheTimeout      100
    NSSSession3CacheTimeout     86400
    NSSRandomSeed           startup builtin
    NSSRenegotiation        off
    NSSRequireSafeNegotiation   off
    
    Listen 8140
    <VirtualHost _default_:8140>
        ServerName  puppetmaster.example.com
        ServerAdmin puppetmaster@example.com
    
        NSSEngine           on
        NSSCertificateDatabase  /etc/httpd/alias
        NSSNickname         "puppetmaster/puppetmaster.example.com"
        NSSOptions          +StdEnvVars
        NSSEnforceValidCerts        on
        NSSVerifyClient         require
        NSSProtocol         SSLv3,TLSv1
        NSSCipherSuite          +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
    
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN "/CN=%{SSL_CLIENT_S_DN_CN}e"
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    
        PassengerHighPerformance    on
        PassengerStatThrottleRate   120
        PassengerUseGlobalQueue     on
    
        RackAutoDetect  off
        RailsAutoDetect off
        RackBaseURI /
    
        DocumentRoot    /var/www/puppet/public
        <Directory /var/www/puppet>
            Options     None
            AllowOverride   None
            Order       allow,deny
            Allow       from all
        </Directory>
    </VirtualHost>
  6. Open up ports for puppet and restart Apache:

    $ firewall-cmd --add-port=8140/tcp
    $ service httpd restart

Puppet Agent setup

On the Puppet Agent:

  1. Installation:

    # install latest puppet (agent)
    # (yum install puppet-server is a couple minor versions behind)
    # version 3.2 fixes a CA bug that isn't in the yum repo
    $ rpm -ivh http://yum.puppetlabs.com/fedora/f19/products/i386/puppetlabs-release-19-2.noarch.rpm
    $ yum install -y http://yum.puppetlabs.com/fedora/f19/products/x86_64/puppet-3.2.4-1.fc19.noarch.rpm
  2. Setup certificates for the agent

    $ ipa-getcert request -K puppet/puppet.example.com
                           -D puppet.example.com
                           -k /var/lib/puppet/ssl/private_keys/puppet.example.com.pem
                           -f /var/lib/puppet/ssl/certs/puppet.example.com.pem
  3. Setup the agent configuration in /etc/puppet/puppet.conf, by editing/adding the [agent] & [main] block:

    [main]
       # <--snip-->
       server = 'puppetmaster.example.com'
       certname = 'puppetmaster.example.com'
       # <--snip-->
    [agent]
       # <--snip-->
       certificate_revocation = false
       certname = 'puppet.example.com'
       # <--snip-->
  4. Test the entire setup in puppet agent:

    # open up port for Puppet
    $ firewall-cmd --add-port=8140/tcp
    # test to see if the setup works
    $ puppet agent --test
    # you'll probably get a catalog error if you have no catalogs
    # setup with your puppet master