Automatic management of SSL certificate on multiple servers…good or bad

puppet ssl ubuntu configuration-management

We're using puppet to manage a group of Ubuntu boxes and will shortly require each of these servers to share a common SSL certificate, in order to serve a site over HTTPS. Naturally, we'd like to use puppet to manage the certificate but are conscious of the fact that putting it in a VCS (from where the puppet master gets its modules) mightn't be a great idea—because of the security implications.

Are there any better solutions anyone is aware of?


Disclosure: I am one of the developers of Puppet.

The general practice is to use a special file server mount that offers the content, and then have an ACL on that allowing only the specific systems to get at the files. That allows you to use a source => 'puppet://...' specification without having to have it come from the same place as the other modules.

You might also look to the hiera-gpg module, as documented here, source here. That allows some protection for the content in terms of exposure, so that only approved people, and folks with sufficient access to the Puppet master they could hack the code to get the data, could read it.

Related

Broken BIOS detected, complain to your hardware vendor. WTF?
Is there a way to deliver a customized file to a server via puppet
How to make AD highly available for applications that use it as an LDAP service
How to limit network usage for concrete application in linux that is running in it?
Inventory or Audit Installed Linux Software
Do I need a dedicated IP address per sub domain for SSL?
How can I rebuilt MySQL replication without dumping the master?
Two trusted domains with same username in both - can we merge?
Ubuntu: disable udev's persistent-net-generator.rules
Installing RDS on Windows Server 2012 without AD
Copy a whole directory structure in Chef
how to add an open_basedir path in nginx vhost