Skip to content

Instantly share code, notes, and snippets.

@jonuwz

jonuwz/gist:11334474

Last active August 29, 2015 14:00
Show Gist options
  • Save jonuwz/11334474 to your computer and use it in GitHub Desktop.
Save jonuwz/11334474 to your computer and use it in GitHub Desktop.
Download ZIP
Free IPA with puppet enterprise
Raw
gistfile1.txt
1. patch IPA to allow subject alt names in cert requests
2. patch IPA to allow certificates to be named after the service (not just the hostname)
/etc/init.d/ipa restart
3. On IPA
echo $password | kinit admin
domain=$(domainname)
for serv in pe-internal-dashboard pe-internal-broker pe-internal-mcollective-servers pe-internal-peadmin-mcollective-client pe-internal-puppet-console-mcollective-client pe-internal-dashboard;do
ipa service-del $serv/puppet.$domain
ipa service-add $serv/puppet.$domain
done
4. On puppet
echo $password | kinit admin
certdir=/etc/puppetlabs/puppet/ssl/certs
privdir=/etc/puppetlabs/puppet/ssl/private_keys
pubdir=/etc/puppetlabs/puppet/ssl/public_keys
cafile=/etc/puppetlabs/puppet/ssl/certs/ca.pem
crlfile=/etc/puppetlabs/puppet/ssl/crl.pem
domain=$(domainname)
for cert in pe-internal-broker puppet.$domain pe-internal-dashboard pe-internal-mcollective-servers pe-internal-peadmin-mcollective-client pe-internal-puppet-console-mcollective-client;do
ipa-getcert stop-tracking -i $cert
done
rm -f $certdir/pe-internal-broker.pem
ipa-getcert request -N CN=pe-internal-broker -f $certdir/pe-internal-broker.pem -k $privdir/pe-internal-broker.pem -I pe-internal-broker -D pe-internal-broker -D puppet.$domain -D stomp -K pe-internal-broker/puppet.$domain -r
rm -f $certdir/puppet.$domain.pem
ipa-getcert request -N CN=puppet.$domain -f $certdir/puppet.$domain.pem -k $privdir/puppet.$domain.pem -I puppet.$domain -D puppet.$domain -D puppet -r -K host/puppet.$domain
sleep 5
[[ -e $certdir/puppet.$domain.pem ]] || ( echo "we fucked up";exit 1 )
cat $certdir/puppet.$domain.pem > /etc/puppetlabs/puppetdb/ssl/public.pem
cat $privdir/puppet.$domain.pem > /etc/puppetlabs/puppetdb/ssl/private.pem
rm -f /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.cert.pem
ipa-getcert request -N CN=pe-internal-dashboard -f /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.cert.pem -k /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.private_key.pem -I pe-internal-dashboard -D pe-internal-dashboard -D puppet.$domain -r -K pe-internal-dashboard/puppet.$domain
for mycert in pe-internal-mcollective-servers pe-internal-peadmin-mcollective-client pe-internal-puppet-console-mcollective-client;do
rm -f $certdir/$mycert.pem
ipa-getcert request -N CN=$mycert -f $certdir/$mycert.pem -k $privdir/$mycert.pem -I $mycert -K $mycert/puppet.$domain -r
done
cat /etc/ipa/ca.crt > $cafile
cat /etc/ipa/ca.crt > /etc/puppetlabs/puppetdb/ssl/ca.pem
cat /etc/ipa/ca.crt > /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
cat /etc/ipa/ca.crt > /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.ca_cert.pem
curl -q -k https://ipa.$domain/ipa/crl/MasterCRL.bin | openssl crl -inform der > $crlfile
cat $crlfile > /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.ca_crl.pem
cat $crlfile > /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
cat<<EOF>/etc/cron.hourly/refreshpuppetcrl
#!/bin/bash
$(which curl) -q -k https://ipa.$domain/ipa/crl/MasterCRL.bin | $(which openssl) crl -inform der > $crlfile
cat $crlfile > /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.ca_crl.pem
cat $crlfile > /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
/etc/init.d/pe-httpd reload
EOF
chmod +x /etc/cron.hourly/refreshpuppetcrl
sleep 10 # wait for the pe-internal-dashboard.cert.pem to get written
chown pe-puppet:root $certdir/* /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.cert.pem
chmod 640 $certdir/* /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.cert.pem
ls /etc/init.d/pe-* | tac | while read line;do $line restart ;done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment