adam buxton abuxton

Generate a private key and a CSR(Certificate Signing Request )
Generate a CSR from an Existing Private Key
Generate a CSR from an Existing Certificate and Private Key
Generating SSL Certificates

View Certificate Entries

Puppet Node Purging via API

When you're decomissioning a machine that has been managed by Puppet you may want to programatically clean up the node. There are two parts to this:

revoking and deleting the certificate of the node in Puppet's CA
deactivating the node in PuppetDB

The following should work for Puppet 4.x and Puppet DB 4.x (including Puppet Enterprise 2016.4.x, 2017.1.x, 2017.2.x).

I've used certificate based auth, and the examples are being run from the puppet master so make use of existing certificates for authentication. When run remotely the cacert, certificate and corresponding private key for authentication will need to be present.

Docker-based Web Application Setup (example)

This is an example of hosting standalone web front-end (web) and data API (api) applications under the same domain via Nginx (acting as a reverse proxy) and Docker, where HTTP requests starting with example.com/graphql and example.com/login/* are being redirected to http://api:3000 and everything else under the same domain is going to be passed to http://web:3000.

Folder Structure

.
├── /nginx.sites/               # Server configuration for each of web apps
├── /nginx.snippets/            # Nginx code snippets

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

An Ansible summary

Jon Warbrick, July 2014, V3.2 (for Ansible 1.7)

Configuration file

intro_configuration.html

First one found from of

	def get_ca_bundle():
	"""Tries to find the platform ca bundle for the system (on linux systems)"""
	ca_bundles = [
	# list taken from https://golang.org/src/crypto/x509/root_linux.go
	"/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
	"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6
	"/etc/ssl/ca-bundle.pem", # OpenSUSE
	"/etc/pki/tls/cacert.pem", # OpenELEC
	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
	]

	#!/bin/bash

	# The Puppet Enterprise High Availability documentation states:
	#
	# Run the forget command whenever a replica node is destroyed,
	# even if you plan to replace it with a replica with the same name.
	#
	# Some users prefer to forget and reuse (instead of destroy and replace) a replica.
	# As an alternative, when `/opt/puppetlabs/bin/puppet-enterprise-uninstaller` isn't available,
	# this script uninstalls Puppet Enterprise on the Replica.

	# will not work in all cases, see https://gist.github.com/angelo-v/e0208a18d455e2e6ea3c40ad637aac53#gistcomment-3439904

	function jwt-decode() {
	sed 's/\./\n/g' <<< $(cut -d. -f1,2 <<< $1) \| base64 --decode \| jq
	}

	JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

	jwt-decode $JWT

	Puppet::Parser::Functions.newfunction(:local_scope,
	:type => :rvalue,
	:doc => <<-'EOS'
	Generates the local scope as a hash. This allows you to use epp functions more
	or less like erb templates by passing local scope as the parameters argument.
	e.g., `content => epp('mymodname/template.epp', local_scope() )`
	EOS
	) do \|args\|
	scope = self.to_hash
	scope.reject! { \|key,val\| scope['facts'].include? key }

	vault.barrier.*
	name="vault_barrier"
	method="$1"

	vault.consul.*
	name="vault_consul"
	method="$1"

	vault.route..
	name="vault_route"