Is it a bad idea to distribute Apache SSL certificates via puppet? Is it insecure to do it this way? Is there a better way to distribute SSL certs to lots of servers?
2 Answers
I've seen this done before. It's only as insecure as your network/destination servers make it. Only you know that. Are you transmitting these over a secure network? If so, you SHOULD be fine. But we can't possibly guarantee that. Why not write a simple ssh script to distribute them? That's what I would recommend. Or write a script to download the cert from a central server and distribute the script via puppet. Just an idea.
EDIT: Since there is some confusion. I'm NOT saying Puppet/SSH are anymore secure. But if you're worried about unauthorized access, ensure everything is secure. This is most easily done with a custom SSH script YOU distribute.
-  6Why would SSH be any more secure? Puppet uses SSL for the transport, and RSA keys to authenticate a puppet client. Puppet should be as secure as SSH. Puppet IS a tool to download the cert from a central server. That is exactly its function. If you already have puppet in place, building another system to do the same thing doesn't seem like a good idea.Zoredache– Zoredache2012-02-28 01:50:10 +00:00Commented Feb 28, 2012 at 1:50
-  The puppet master isn't hosted on the same ISP/datacenter, so transmission is over the internet, but puppet does use SSL. I just don't know how hard it would be someone to request the certs from my puppet master without me knowing.Noodles– Noodles2012-02-28 01:59:28 +00:00Commented Feb 28, 2012 at 1:59
-  @Zoredache I think you misinterpreted what I said.Publiccert– Publiccert2012-02-28 02:07:03 +00:00Commented Feb 28, 2012 at 2:07
-  3@Publiccert Puppet agent/master communication uses client certificate authentication; it won't feed manifest or file data to unauthenticated clients unless it's been configured to do so.Shane Madden– Shane Madden2012-02-28 04:50:19 +00:00Commented Feb 28, 2012 at 4:50
-  Are there any authorization rules applied to the stored SSL certificates, or can ANY client with a valid client certificate fetch ANY stored SSL certificate or other key/password?kgilpin– kgilpin2013-10-15 19:02:36 +00:00Commented Oct 15, 2013 at 19:02
This is too old but I'm going to answer anyway.
You can encrypt private keys using eyaml and let puppet do the install. This way you are sure that key data is encrypted even on hiera and it is safely delivered to the node while agent is run.
