Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5224

the no-client option has been removed, preventing key creation


    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: PUP 4.2.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:


      There are numerous reasons to acquire a key from a Puppet server, including

      1. To create a code deployment key for invalidating the environment cache

      2. To create per-user keys used for MCollective authentication

      ...etc. Manually generating the key on the server and then copying the private key across the network to the node is not ideal for many reasons. In some situations the client would rather not have someone else possess their private key for any reason. The connect/authorize model works very well for this.

      The old process was:

      $ puppet agent --certname code-deployment --no-client --test
      blah blah generating key and connecting...
      ...wait for key to be signed on server...
      $ puppet agent --certname code-deployment --no-daemonize --no-client

      At this point you'd have a private key and a certificate signed by the Puppet CA without anyone else ever having a copy of the private key.

      Removal of the no-client mode makes this process much more difficult/annoying. Is there another way to accomplish this request that I am unaware of?

      If not, would you consider re-enabling this option or adding a feature to puppet cert to submit key requests to remote servers and then to retrieve the results?




            • Assignee:
              jorhett Jo Rhett
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created:

                Zendesk Support