(Feature) Webhook should generate a new SSL certificate rather than reusing pe-internal-peadmin-mcollective-client.pem
elyscape opened this issue · comments
Currently, the webhook defaults to using the pe-internal-peadmin-mcollective-client SSL certificate. It would make more sense to generate an SSL cert specifically for the webhook.
I totally agree on this one , adding this to 4.0 milestone
In the meantime, the readme points to public_key_path => '/etc/mcollective/server_public.pem', # Mandatory for FOSS which is not part of the puppet-agent FOSS package. There are a number of other pem files available, is a pair of these suitable to use instead?
[root@puppet ~]# find / -name *.pem
/opt/puppetlabs/puppet/ssl/cert.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/GeoTrustGlobalCA.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
/opt/puppetlabs/puppet/lib/ruby/2.1.0/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/net-ssh-2.9.2/net-ssh-public_cert.pem
/etc/vmware-tools/GuestProxyData/server/key.pem
/etc/vmware-tools/GuestProxyData/server/cert.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/tls/cert.pem
/etc/puppetlabs/puppet/ssl/private_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/puppetlabs/puppet/ssl/crl.pem
/etc/puppetlabs/puppet/ssl/public_keys/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
/etc/puppetlabs/puppet/ssl/ca/signed/puppet.nelson.va.pem
/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
/etc/puppetlabs/puppet/ssl/ca/ca_key.pem
/etc/puppetlabs/puppet/ssl/ca/ca_pub.pem
/etc/puppetlabs/puppetdb/ssl/private.pem
/etc/puppetlabs/puppetdb/ssl/ca.pem
/etc/puppetlabs/puppetdb/ssl/public.pem
@acidprime @elyscape I was able to use the puppetdb private/public pair (it didn't like the master's public/private). If someone can point me at how to generate the pem files properly, I'd be glad to get started on this.
For reference, the puppetdb package in PC1 installation creates the pem files, so you can order it by adding this to your profile containing r10k:
Package['puppetdb'] -> Service[webhook]
I was able to make the webhook (r10k 2.5.1 with module v4.0.2) work with FOSS (puppetserver 2.7.2) and the puppet certs using the following:
class {'r10k::webhook::config':
protected => false,
public_key_path => "/etc/puppetlabs/puppet/ssl/ca/signed/${facts['fqdn']}.pem",
private_key_path => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['fqdn']}.pem",
notify => Service['webhook'],
}
I also set the webhook user to puppet and it works once I changed the ownership of cache and environment files.
Note: The puppetdb certs are owned by puppetdb with 0600 permissions and are not visible to the puppet user so using the puppetdb certs will require the webhook running as root user.
Sorry, I referenced this issue by mistake in one of my commits.