Configuring the Puppet Enterprise Console to Use a Custom SSL Certificate
A newer version is available; see the version menu above for details.
The PE console uses a certificate signed by PE’s built-in certificate authority (CA). Since this CA is specific to PE, web browsers don’t know it or trust it, and you have to add a security exception in order to access the console. You may find that this is not an acceptable scenario and want to use a custom CA to create the console’s certificate. However, because several elements of the PE infrastructure are authenticated with certificates signed by PE’s built-in CA, you must bundle the custom CA with the built-in CA.
About the CA Bundle
When you use a custom CA to create a certificate for the console, the console still needs to trust requests from other elements of your PE infrastructure that have been authenticated with certificates signed by PE’s built-in CA; and when making requests to the puppet master, the console still needs to present a certificate signed by PE’s built-in CA.
If your custom cert is issued by an intermediate CA, the CA bundle (i.e.,
ca_auth.pem) needs to contain a complete chain, including the applicable root CA.
Here are the main things you will need to do:
- Set up the custom certificates and security credentials (private and public keys).
- Generate a complete CA bundle for the puppet master.
Step 1: Set up Custom Certs and Security Credentials
Retrieve the custom certificate’s public and private keys and the customs CA’s public key, and, for ease of use, name them as follows:
- Add those files to
/etc/puppetlabs/httpd/conf.d/puppetdashboard.confso that it contains the new certificate and keys. The complete SSL list in
puppetdashboard.confshould appear as follows:
SSLCertificateFile /opt/puppet/share/puppet-dashboard/certs/public-dashboard.cert.pem SSLCertificateKeyFile /opt/puppet/share/puppet-dashboard/certs/public-dashboard.private_key.pem SSLCertificateChainFile /opt/puppet/share/puppet-dashboard/certs/public-dashboard.ca_cert.pem SSLCACertificateFile /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.ca_cert.pem SSLCARevocationFile /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.ca_crl.pem
Important: Make sure you do not duplicate any of the above parameters in
The first three certificates in the list are your custom certificate’s public and private keys and your custom CA’s public key. The fourth and fifth entries are PE’s built-in CA’s public key and certificate revocation list (CRL). They should not be edited in any way. This configuration will cause the console to present the signed certificate from your custom CA to clients while still using PE’s built-in CA to authenticate requests from the puppet master.
Step 2: Generate the Complete CA Bundle for the Puppet Master
On the puppet master, create
cat /etc/puppetlabs/puppet/ssl/certs/ca.pem /opt/puppet/share/puppet-dashboard/certs/public-dashboard.ca_cert.pem > /etc/puppetlabs/puppet/ssl/ca_auth.pem.
Note: The second path in the above command is the full path the public key of the custom CA, which you put in
/opt/puppet/share/puppet-dashboard/certs/in step 1.2.
- If you need to include an applicable root CA in your bundle, run
cat root.pem >> ca_auth.pem.
- Change the permissions of the file you just created by running
chmod 644 /etc/puppetlabs/puppet/ssl/ca_auth.pem.
/etc/puppetlabs/puppet/puppet.confand, in the
ssl_client_ca_auth = /etc/puppetlabs/puppet/ssl/ca_auth.pem.
certificate_name, change the value to the DNS FQDN of the console server. Note that the DNS FQDN must match the name of the new console certificate.
- Restart the
pe-httpdservice on both the master and console servers by running
sudo /etc/init.d/pe-httpd restart. (If it is an all-in-one install, you only need to restart the
- Kick off a puppet run.
You should now be able to navigate to your console and see the custom certificate in your browser.