[Freeipa-users] Best practice for requesting a certificate in Kickstart?

David Kupka dkupka at redhat.com
Mon Apr 25 08:03:20 UTC 2016 

On 24/04/16 04:46, Anthony Clark wrote:
> Hello All,
>
> TL;DR: what's the best way to grab a SSL cert and key during kickstart?
>
> (this is all using CentOS 7.2 latest)
>
> I'm using Foreman to manage my kickstart and Puppet services, and its built-in
> FreeIPA client enrollment works just fine.
>
> However I'd like to also request a certificate and key for a Puppet client to
> use to authenticate to the Foreman-controlled Puppet server.
>
> If I manually set up a puppet client then it works just fine.  I use something
> like this:
>
> # ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name
> <http://host.name> %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name
> <http://host.name> %>.pem
> # cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem
>
> (then setting the correct paths and settings in /etc/puppet/puppet.conf)
>
> I tried to make that work inside the Kickstart process, but as those commands
> are running inside a kickstart chroot the certmonger service won't start.
>
> Is there a better method to grab a SSL cert and key for the host during
> kickstart?  Or should I just wait until firstboot and perform the steps at that
> point?
>
> Many Thanks and FreeIPA is really amazing!
>
> Anthony Clark
>
>
>

Hello Anthony,

TL;DR Set DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null in kickstart 
chroot environment before calling "ipa-getcert request".


The issue is already addressed by BZ1134497 [1]. When getcert detects 
there is no DBus it starts certmonger and communicates over unix socet. 
But in Kickstart environment DBus is available but unusable (BZ1271551, 
[2]). It can be workaround by setting 
DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null (it is described in Doc Text 
of [1]).

You can also run ipa-client-install with --request-cert and it will also 
request certificate for the client. And also require the workaround in 
Kickstart chroot environment. But unlike "ipa-getcert request -w" it 
won't wait for the certificate to be issued and fetched.

The reason is that it can take days for certificate to be issued (some 
CAs require human approval) so ipa-client-install only submit the 
request and doesn't wait for certificate.
After the installation completes and system is started certmonger 
periodically query for the certificate and fetch it when available.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1134497
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551

HTH,
-- 
David Kupka

More information about the Freeipa-users mailing list