https://github.com/smortex/puppet-add-cli-auth-to-certificate

Update a Puppet certificate to make it suitable for CLI authentication
https://github.com/smortex/puppet-add-cli-auth-to-certificate

authentication certificate cli hacktoberfest puppet

Last synced: 16 days ago
JSON representation

Update a Puppet certificate to make it suitable for CLI authentication

• Host: GitHub
• URL: https://github.com/smortex/puppet-add-cli-auth-to-certificate
• Owner: smortex
• License: mit
• Created: 2018-09-26T16:49:58.000Z (over 6 years ago)
• Default Branch: main
• Last Pushed: 2024-06-18T18:14:56.000Z (11 months ago)
• Last Synced: 2025-04-23T02:53:02.072Z (16 days ago)
• Topics: authentication, certificate, cli, hacktoberfest, puppet
• Language: Ruby
• Homepage:
• Size: 4.88 KB
• Stars: 11
• Watchers: 4
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# puppet-add-cli-auth-to-certificate

Update a Puppet certificate to make it suitable for CLI authentication

## Context

Puppet 6.0.0 introduced a new way to authorize CLI requests by adding a *cli-auth* extension in the master's node certificate.  The `puppetserver ca` command use the node certificate to authenticate requests, and the default `puppetserver/conf.d/auth.conf` only allow certificates with the appropriate *cli-auth* extension to perform actions.

Users upgrading from a previous Puppet version, users who are not generating a new PKI and using their old PKI will not be able to use the `puppetserver ca` command out of the box.  They need to either adjust the `puppetserver/conf.d/auth.conf` configuration [to explicitly allow the nodes which should be able to access the proper API endpoints](https://puppet.com/docs/puppetserver/6.0/subcommands.html#available-actions) or add the *cli-auth* extension to their master mode certificate.

The first approach is simpler, but your local configuration will diverge from the default one.  For this reason, you might prefer to take the second approach.   This project is all about doing this easily.

Related links:

* [Backport CA CLI auth extension for master cert](https://tickets.puppetlabs.com/browse/SERVER-2323)

* [Update puppetserver's CA bootstrapping code to add CLI tool auth extension](https://tickets.puppetlabs.com/browse/SERVER-2308)

* [The master cert created by `generate` should have custom extensions for the `cert_status` endpoint auth](https://tickets.puppetlabs.com/browse/SERVER-2287)

* [Pull Request on GitHub](https://github.com/puppetlabs/puppetserver/pull/1790)

## Usage

On AIO nodes, the call sequence is as simple as:

```sh

/opt/puppetlabs/puppet/bin/ruby ./add-cli-auth-to-certificate /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem

```

If the `ssldir` is not the AIO default one, it's possible to explicitly provide the path to the ca certificate and key:

```sh

./add-cli-auth-to-certificate -k /var/puppet/ssl/ca/ca_key.pem -c /var/puppet/ssl/ca/ca_crt.pem /var/puppet/ssl/certs/$(hostname).pem

```