Pulling Strings With Puppet - James Turnbull [12]
Tip - Puppet relies on SSL to talk between client and server. You need to ensure that the time on your server and client is correct and appropriately synchronized to ensure SSL functions correctly.
Once the certificate is signed, the node will request whatever configuration is specified for that node. The master server will then compile and deliver that configuration. The configuration is then implemented on the node. The Puppet client will then periodically, by default every 30 minutes, check the master to see whether the configuration defined there is unchanged. If it has changed, the client will request a recompilation of the configuration, and the new configuration will be implemented on the node.
Tip - If you're running the Puppet client on the same host as the server, your certificate will be automatically signed.
Now, let's start the Puppet client, as demonstrated in Listing 2-3.
Listing 2-3. Starting the Puppet Client
We've started the Puppet client daemon with three options, --server, --verbose, and -- waitforcert. The --server option tells the client the name of the server to connect to. You should specify the server in the form of a fully qualified domain name. The --verbose option enables verbose output for the client and stops it going into the background and daemonizing.
The last option, --waitforcert, tells the client to check every 60 seconds to see whether a signed certificate is returned from the server. This option is generally only used when you are connecting a new node and tells the client daemon to keep checking the server for a signed certificate. You can see in Listing 2-3 a log message indicating that the client is still waiting for the certificate from the server:
notice: Did not receive certificate
If you check on your master daemon, you can see a corresponding log message:
notice: Host nodel.testing.com has a waiting certificate request
This message indicates that the client's request to have a certificate signed has been received, and now you need to act on it.
Signing Your Client Certificate
So how does our node get a signed certificate, our node authenticated, and the node configuration delivered? Certificate signing is done on the master server by the puppetca tool. The puppetca tool controls the Puppet Certificate Authority and allows certificate requests to be signed or revoked.
Note - You can also configure Puppet to automatically sign all incoming certificate requests (known as autosign), either from every node or using coarse-grained authentication to selectively sign node requests based on hostname or domain. Using both forms of autosign poses a serious security risk as they bypass Puppet's security controls. I don't recommend using autosign. But if you do, you can see more details about autosign and Puppet's certificate management at http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity.
You can list all of the waiting certificate signing requests like so:
You can see the --list option has listed our node's signing request. Now, if we want to sign it, we can use the puppetca command again like so:
We specify the option --sign together with the hostname of the node whose certificate we wish to sign, in this case nodel.testing. com. On the next line, we can see the command has returned a message indicating that the certificate is now signed. The node is now authenticated to the server.
If we go back to the client daemon, we will see logging messages indicating that the certificate has been returned and the client has been started.
Then server will now compile and deliver any configuration for that node to the client daemon to be applied. In our example site. pp file in Listing 2-1, we're configuring the /etc/passwd