On Sat, Dec 07, 2013 at 11:39:31 +0100, Lukas Zapletal wrote:
On Fri, Dec 06, 2013 at 05:20:40PM +0100, Martin Milata wrote:
> I wonder if it would be possible to use these certificates without major
> changes to Puppet. Or, whether the benefits of having authenticated
> problem reports outweigh the risks of sharing the puppet certificates
> with another component.
Well the same way we deploy client certificate, we can also deploy
another ABRT certificate.
We just implemented the ability to use client-side SSL/TLS
authentication when sending uReports. This makes using Puppet
certificates easy as everything is handled by libcurl and it appears
that SELinux already allows us to access them.
If I understand correctly the plugin has to provide a smart proxy to
accept the uReports since the managed hosts are not required to have
connectivity to the main Foreman server. The idea is that the proxy
receives the uReports via client-authenticated https where the Puppet CA
is used to validate the client's certificate. Do you see any problem
with this?
We'd like to make the ureport client configuration easy so that the path
to the Puppet certificate doesn't have to be specified explicitly. I'm
not familiar with Puppet so I'd like to ask if we can expect the client
certificate to be in /var/lib/puppet/ssl/certs/`facter fqdn`.pem
and the key in /var/lib/puppet/ssl/private_keys/`facter fqdn`.pem ?
Thank you,
Martin Milata