The autosign.conf
file can allow certain certificate requests
to be automatically signed. It is only valid on the CA Puppet
master server; a Puppet master not serving as a CA does not
use autosign.conf
.
autosign.conf
whitelist but more complex to configure.For more information, see the documentation about certificate autosigning.
Location
Puppet looks for autosign.conf
at $confdir/autosign.conf
by default. To
change this path, configure the autosign setting in the [master]
section
of puppet.conf
.
The default confdir path depends on your operating system. See the confdir documentation for more information.
autosign.conf
file must
not be executable by the master’s user account. If the autosign
setting points
to an executable file, Puppet instead treats it
like a custom policy executable even if it contains a valid autosign.conf
whitelist.Format
The autosign.conf
file is a line-separated list of certnames or
domain name globs. Each line represents a node name or group of node names for which
the CA Puppet master automatically signs certificate
requests.
rebuilt.example.com
*.scratch.example.com
*.local
Domain name globs do not function as normal globs: an asterisk
can only represent one or more subdomains at the front of a certname that resembles
a fully qualified domain name (FQDN). If your certnames don’t look like FQDNs,
the autosign.conf
whitelist might not be effective.
autosign.conf
file can safely be
an empty file or not-existent, even if the autosign
setting is enabled. An
empty or non-existent autosign.conf
file is an empty whitelist,
meaning that Puppet does not autosign any
requests. If you create autosign.conf
as a non-executable file and add
certnames to it, Puppet then automatically uses
the file to whitelist incoming requests without needing to modify puppet.conf
. To explicitly disable autosigning,
set autosign
= false
in the [master]
section of the CA Puppet master’s puppet.conf
, which
disables CA autosigning even if autosign.conf
or a custom policy executable
exists.