Hey folks,
I read it's possible to attach Puppet CA to the FreeIPA CA. The only howtos our there were pretty dated; they either state super old Puppetserver components (puppet server, which was abolished in like 3.x), CentOS5 or even FreeIPAs inability to run more than one CA.
For the lack of any good/recent howto out there, here are my assumptions:
- I should create a CA for Puppet in FreeIPA. This can be trivially done via the gui.
Q: It would ask me for a DN on the CA. I would put my FQDN of the PuppetServer there?
- Create the puppetserver certificate on any node with admin rights:
ipa service-add puppetmaster/$(hostname -f) ipa service-add puppet/$(hostname -f)
Q: I found the puppet*/* descriptors in some ancient document. I am unsure if they are still needed or if they are the right ones for Puppet 6.x+.
Q: How can I request a certificate from a specific CA?
- Then I found this tidbit:
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- yum --nogpgcheck --localinstall
http://passenger.stealthymonkeys.com/fedora/16/passenger-release.noarch.rpm yum install mod_nss mod_passenger ipa-client-install --password=secret systemctl stop puppetmaster.service ipa-getcert -K puppetmaster/puppet.example.com -d /etc/httpd/alias -n puppetmaster/puppet.example.com ipa-getcert -K puppet/puppet.example.com -D puppet.example.com -k /etc/puppet/ssl/private_keys/puppet.example.com.pem -f /etc/puppet/ssl/public_keys/puppet.example.com.pem mkdir -p /var/www/puppet/public cp /usr/share/puppet/ext/rack/files/config.ru /var/www/puppet --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
(https://jca.pe/2012/01/16/using-the-freeipa-pki-with-puppet/) from 2012.
Those paths still check out. I would adapt those with the certificate I got earlier.
Am I on the right track here?
-Chris.
freeipa-users@lists.fedorahosted.org