ohadlevy · May 13, 2010 01:50
diff --git a/chained_puppetmaster_setup.sh b/chained_puppetmaster_setup.sh
 #!/bin/sh
 # This procedure must be followed after a puppetmaster has been created but before 
 # any clients have been created by that puppetmaster. It should be performed on
 # the puppeteer in the directory where the openssl.cnf file is located.
 #
 # It requires the puppeteers id_rsa.pub to be in the authorized_keys template
 # It requires that the puppetmaster service has been started at least once on
 #    new server
 # It requires that the puppetmaster and httpd services have been stopped on the
 #    new server

 # NOTE. NOTE. NOTE. NOTE.
 # BOTH puppetmaster and httpd services MUST be restarted after this operation
 # Otherwise the original self-signed key is provided to clients that it builds

 puppetmaster=$1
 if [ "$1" = "" ]
 then
    echo "Usage: $0 <fqdn>"
    exit
 fi

 echo "Ensure that $puppetmaster has been built as a stand-alone puppetmaster and that the monit, puppetmaster and http services have been stopped"
 echo "Press any key to continue"
 read dummy

 # Upload required configuration files
 scp openssl.cnf ${puppetmaster}:/tmp

 # Modify configuration file
 ssh $puppetmaster /usr/bin/perl -p -i -e "s/XXXXXXXX/$puppetmaster/" /tmp/openssl.cnf

 # Jump to the puppetmaster and generate a Certificate Signing Request 
 ssh $puppetmaster /usr/bin/openssl req -new -nodes -key /var/lib/puppet/ssl/ca/ca_key.pem -config /tmp/openssl.cnf -out /tmp/${puppetmaster}.csr -passin file:/var/lib/puppet/ssl/ca/private/ca.pass

 # Download the CSR
 scp ${puppetmaster}:/tmp/${puppetmaster}.csr ${puppetmaster}.csr

 # Ensure that the index file is present
 touch /var/lib/puppet/ssl/index

 # Sign this request with the puppeteer's CA keys
 /usr/bin/openssl ca -config openssl.cnf -extfile openssl.cnf -extensions v3_ca -in ${puppetmaster}.csr -out ${puppetmaster}.pem  -passin file:/var/lib/puppet/ssl/ca/private/ca.pass -batch

 # Push the new certificate into place on the puppetmaster
 scp ${puppetmaster}.pem ${puppetmaster}:/var/lib/puppet/ssl/ca/ca_crt.pem

 # Ensure that puppet can read the resulting index file
 chown puppet:puppet /var/lib/puppet/ssl/ca/serial

 # We need to ensure that all clients created by this or any other puppetmaster have the puppeteer's certificate appended to their /var/lib/puppet/ssl/certs/ca.pem file.
 # This is part of the kickstart build process
	#!/bin/sh
	# This procedure must be followed after a puppetmaster has been created but before
	# any clients have been created by that puppetmaster. It should be performed on
	# the puppeteer in the directory where the openssl.cnf file is located.
	#
	# It requires the puppeteers id_rsa.pub to be in the authorized_keys template
	# It requires that the puppetmaster service has been started at least once on
	# new server
	# It requires that the puppetmaster and httpd services have been stopped on the
	# new server

	# NOTE. NOTE. NOTE. NOTE.
	# BOTH puppetmaster and httpd services MUST be restarted after this operation
	# Otherwise the original self-signed key is provided to clients that it builds

	puppetmaster=$1
	if [ "$1" = "" ]
	then
	echo "Usage: $0 <fqdn>"
	exit
	fi

	echo "Ensure that $puppetmaster has been built as a stand-alone puppetmaster and that the monit, puppetmaster and http services have been stopped"
	echo "Press any key to continue"
	read dummy

	# Upload required configuration files
	scp openssl.cnf ${puppetmaster}:/tmp

	# Modify configuration file
	ssh $puppetmaster /usr/bin/perl -p -i -e "s/XXXXXXXX/$puppetmaster/" /tmp/openssl.cnf

	# Jump to the puppetmaster and generate a Certificate Signing Request
	ssh $puppetmaster /usr/bin/openssl req -new -nodes -key /var/lib/puppet/ssl/ca/ca_key.pem -config /tmp/openssl.cnf -out /tmp/${puppetmaster}.csr -passin file:/var/lib/puppet/ssl/ca/private/ca.pass

	# Download the CSR
	scp ${puppetmaster}:/tmp/${puppetmaster}.csr ${puppetmaster}.csr

	# Ensure that the index file is present
	touch /var/lib/puppet/ssl/index

	# Sign this request with the puppeteer's CA keys
	/usr/bin/openssl ca -config openssl.cnf -extfile openssl.cnf -extensions v3_ca -in ${puppetmaster}.csr -out ${puppetmaster}.pem -passin file:/var/lib/puppet/ssl/ca/private/ca.pass -batch

	# Push the new certificate into place on the puppetmaster
	scp ${puppetmaster}.pem ${puppetmaster}:/var/lib/puppet/ssl/ca/ca_crt.pem

	# Ensure that puppet can read the resulting index file
	chown puppet:puppet /var/lib/puppet/ssl/ca/serial

	# We need to ensure that all clients created by this or any other puppetmaster have the puppeteer's certificate appended to their /var/lib/puppet/ssl/certs/ca.pem file.
	# This is part of the kickstart build process