Home » How can I pre-sign puppet certificates?

How can I pre-sign puppet certificates?


On the server (puppetmaster) run:

puppetca --generate <NAME>

Then copy the following from the server onto the client:


If you wish to sign <NAME> as something other than the hostname use:

puppetd --fqdn=<NAME>

And add to /etc/puppet/puppet.conf if running the daemon


If you have a host database, you can use the autosign feature. In your puppet.conf file, in the [puppetmasterd], add:

autosign = /path/to/autosign.conf

Then use a crontab to generate this file. The autosign file is just a list of hosts to autosign when they first connect to the puppetmaster. I use LDAP to configure my puppet hosts, so my cron looks like:

* * * * * root /usr/bin/ldapsearch -x '(objectClass=puppetClient)' cn | /bin/grep ^cn | /bin/sed 's!^cn: !!' > /etc/puppet/autosign.conf

I’m sure people who use iClassify would be able to write a query to do the same.

Of course, you need to have some trust in the network. I use this on EC2. My puppetmaster server is in a group that only allows connections from other trusted groups. I wouldn’t recommend doing this if your puppetmaster is open to the internet.

Simple answer: automatically sign new requests. This of course is dangerous because you’re blindly trusting any system that connects to your puppetmaster, which is the purpose for requiring manual signing.

autosign = true

You can specify false and a file to use to determine which keys to sign, too.

See the configuration reference on the Puppet wiki.

Another option is to use a tool like Capistrano, where you specify the puppetmaster node and create the client instance nodes, and in the task:

  • Create the instance node, say with EC2’s API with Ruby.
  • Run puppetd on the instance, connecting to the server.
  • Run puppetca –sign for the instance’s request (since we know the instance name as it was given in the creation bit above).
  • Run puppetd again on the instance, this time successfully connecting as the certificate is signed.

Related Solutions

Custom query with Castle ActiveRecord

In this case what you want is HqlBasedQuery. Your query will be a projection, so what you'll get back will be an ArrayList of tuples containing the results (the content of each element of the ArrayList will depend on the query, but for more than one value will...

What is the “You have new mail” message in Linux/UNIX?

Where is this mail? It's likely to be in the spool file: /var/mail/$USER or /var/spool/mail/$USER are the most common locations on Linux and BSD. (Other locations are possible – check if $MAIL is set – but by default, the system only informs you about...

How can I find the implementations of Linux kernel system calls?

System calls aren't handled like regular function calls. It takes special code to make the transition from user space to kernel space, basically a bit of inline assembly code injected into your program at the call site. The kernel side code that "catches" the...

Is a composite index also good for queries on the first field?

It certainly is. We discussed that in great detail under this related question: Working of indexes in PostgreSQL Space is allocated in multiples of MAXALIGN, which is typically 8 bytes on a 64-bit OS or (much less common) 4 bytes on a 32-bit OS. If you are not...

Explaining computational complexity theory

Hoooo, doctoral comp flashback. Okay, here goes. We start with the idea of a decision problem, a problem for which an algorithm can always answer "yes" or "no." We also need the idea of two models of computer (Turing machine, really): deterministic and...

Building a multi-level menu for umbraco

First off, no need pass the a parent parameter around. The context will transport this information. Here is the XSL stylesheet that should solve your problem: <!-- update this variable on how deep your menu should be --> <xsl:variable...

How to generate a random string?

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters: tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '' Alternatively, to include more characters from the OWASP...

How to copy a file from a remote server to a local machine?

The syntax for scp is: If you are on the computer from which you want to send file to a remote computer: scp /file/to/send username@remote:/where/to/put Here the remote can be a FQDN or an IP address. On the other hand if you are on the computer wanting to...

What is the difference between curl and wget?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. There's no lib or anything, but curl's features are powered by libcurl. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP,...

Using ‘sed’ to find and replace [duplicate]

sed is the stream editor, in that you can use | (pipe) to send standard streams (STDIN and STDOUT specifically) through sed and alter them programmatically on the fly, making it a handy tool in the Unix philosophy tradition; but can edit files directly, too,...

How do I loop through only directories in bash?

You can specify a slash at the end to match only directories: for d in */ ; do echo "$d" done If you want to exclude symlinks, use a test to continue the loop if the current entry is a link. You need to remove the trailing slash from the name in order for -L to...

How to clear journalctl

The self maintenance method is to vacuum the logs by size or time. Retain only the past two days: journalctl --vacuum-time=2d Retain only the past 500 MB: journalctl --vacuum-size=500M man journalctl for more information. You don't typically clear the journal...

How can I run a command which will survive terminal close?

One of the following 2 should work: $ nohup redshift & or $ redshift & $ disown See the following for a bit more information on how this works: man nohup help disown Difference between nohup, disown and & (be sure to read the comments too) If your...

Get exit status of process that’s piped to another

bash and zsh have an array variable that holds the exit status of each element (command) of the last pipeline executed by the shell. If you are using bash, the array is called PIPESTATUS (case matters!) and the array indicies start at zero: $ false | true $...

Execute vs Read bit. How do directory permissions in Linux work?

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files. The read bit (r) allows the affected user to list the files within the directory The write bit (w) allows the affected user to create, rename,...

What are the pros and cons of Vim and Emacs? [closed]

I use both, although if I had to choose one, I know which one I would pick. Still, I'll try to make an objective comparison on a few issues. Available everywhere? If you're a professional system administrator who works with Unix systems, or a power user on...