I encrypted password using hiera:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl#ad.contoso.com',
dsc_password => {
'user' => 'tfl#ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator#ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.
I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)
'password' = '-----BEGIN PKCS7-----
MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD
VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt
eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw
MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb
4CdHUntrVR1E......
hiera config:
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
EDIT: just found this, it seems it's opened issue and related to Windows only
UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output
Related
I want to learn how to use logstash with mailtrap smtp for development purposes. I installed logstash then ran this command:
/usr/share/logstash/bin/logstash -e 'input { stdin { } } output { email {
to => "user#example.com"
from => "user#example.com"
subject => "Alert - %{title}"
body => "content here"
authentication => "plain"
domain => "smtp.mailtrap.io:2525"
username => "20ff3475e0c350"
password => "594980b5a1be46"
}
}'
Once logstash is up and running, I type something and press enter. This causes the error below:
[ERROR] 2022-11-08 19:34:59.861 [[main]>worker1] email - Something happen while delivering an email {:exception=>#<Net::SMTPAuthenticationError: 503 5.5.1 Error: authentication not enabled
How do I enable authentication? Or what am I doing wrong? I also can't find any documentation on what are acceptable values for the authentication property.
I'm not able to register the certificate thumbprint value from win_certificate_store module in a format that win_iis_webbinding module would accept it.
Here are my ansible tasks:
- name: Import certificate to Target local cert store
win_certificate_store:
path: C:\Certs\{{ansible_hostname}}.cert.p12
file_type: pkcs12
password: XXXXXXXXXX
store_location: LocalMachine
key_storage: machine
state: present
register: cert_import
- name: Debug thumbprints variable
debug:
var: cert_import.thumbprints
- name: Bind the issued certificate to Default Web Site in IIS
win_iis_webbinding:
name: Default Web Site
protocol: https
port: 443
certificate_hash: "{{ cert_import.thumbprints }}"
state: present
And this is the output:
TASK [Import certificate to Target local cert store] *******************************************************************************************************************************
task path: /home/weseroot/.ansible/roles/certman/tasks/import_bind_cert.yml:7
Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/windows/win_certificate_store.ps1
Pipelining is enabled.
<10.0.0.5> ESTABLISH WINRM CONNECTION FOR USER: weseadmin on PORT 5985 TO 10.0.0.5
EXEC (via pipeline wrapper)
ok: [10.0.0.5] => {
"changed": false,
"invocation": {
"module_args": {
"file_type": "pkcs12",
"key_exportable": true,
"key_storage": "machine",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"path": "C:\\Certs\\w2016-IIS-1.cert.p12",
"state": "present",
"store_location": "LocalMachine",
"store_name": "My",
"thumbprint": null
}
},
"thumbprints": [
"C85F1FC23B89DFB88416EDFAE9C91C586515C8ED"
]
}
TASK [Debug thumbprints variable] **************************************************************************************************************************************************
task path: /home/weseroot/.ansible/roles/certman/tasks/import_bind_cert.yml:17
ok: [10.0.0.5] => {
"cert_import.thumbprints": [
"C85F1FC23B89DFB88416EDFAE9C91C586515C8ED"
]
}
TASK [Bind the issued certificate to Default Web Site in IIS] **********************************************************************************************************************
task path: /home/weseroot/.ansible/roles/certman/tasks/import_bind_cert.yml:27
Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/windows/win_iis_webbinding.ps1
Pipelining is enabled.
<10.0.0.5> ESTABLISH WINRM CONNECTION FOR USER: weseadmin on PORT 5985 TO 10.0.0.5
EXEC (via pipeline wrapper)
The full traceback is:
Cannot retrieve the dynamic parameters for the cmdlet. The specified wildcard character pattern is not valid: System.Object[]
At line:157 char:15
+ If (-Not (Test-Path $cert_path) )
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Test-Path], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : GetDynamicParametersException,Microsoft.PowerShell.Commands.TestPathCommand
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 157
fatal: [10.0.0.5]: FAILED! => {
"changed": false,
"msg": "Unhandled exception while executing module: Cannot retrieve the dynamic parameters for the cmdlet. The specified wildcard character pattern is not valid: System.Object[]"
}
Any suggestions how the thumbprint variable could be passed to win_iis_webbinding module in an acceptable format?
OK I don't know if you are still looking for the answer but I was. win_certificate_store returns a dictionary with the key 'thumbprints' tied to a list:
TASK [Debug thumbprints variable] **************************************************************************************************************************************************
task path: /home/weseroot/.ansible/roles/certman/tasks/import_bind_cert.yml:17
ok: [10.0.0.5] => {
"cert_import.thumbprints": [
"C85F1FC23B89DFB88416EDFAE9C91C586515C8ED"
]
}
You will want to do something like this:
- name: Import certificate to Target local cert store
win_certificate_store:
path: C:\Certs\{{ansible_hostname}}.cert.p12
file_type: pkcs12
password: XXXXXXXXXX
store_location: LocalMachine
key_storage: machine
state: present
register: cert_import
- name: Debug thumbprints variable
debug:
var: cert_import.thumbprints
- name: Bind the issued certificate to Default Web Site in IIS
win_iis_webbinding:
name: Default Web Site
protocol: https
port: 443
certificate_hash: "{{ cert_import.thumbprints[-1] }}"
state: present
I want to create SSL certificate and try to secure this operation.
I am using Puppet 5.5.2 and gem hiera-eyaml.
Created simple manifest
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
package { 'tree':
ensure => installed,
}
package { 'httpd':
ensure => installed,
}
$filecrt = lookup('files')
create_resources( 'file', $filecrt )
Hiera config
---
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
# When specifying a datadir, make sure the directory exists.
# See https://puppet.com/docs/puppet/latest/environments_about.html for further details on environments.
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Secret data: per-node, per-datacenter, common"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{facts.fqdn}.eyaml"
- "nodes/%{trusted.certname}.eyaml" # Include explicit file extension
- "location/%{facts.whereami}.eyaml"
- "common.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem
- name: "YAML hierarchy levels"
paths:
- "common.yaml"
- "nodes/%{facts.fqdn}.yaml"
- "nodes/%{::trusted.certname}.yaml"
And common.yaml
---
files:
'/etc/httpd/conf/server.crt':
ensure: present
mode: '0600'
owner: 'root'
group: 'root'
content: 'ENC[PKCS7,{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'
But have en error while applying manifest
Error: Evaluation Error: Error while evaluating a Function Call, create_resources(): second argument must be a hash (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 12, column: 1) on node test1.com
I really dont know what to do )
The problem appears to be that the indentation in common.yaml isn't right - currently, file will be null rather than a hash, which explains the error message. Also, the file should be called common.eyaml, otherwise the ENC string won't be decrypted. Try
---
files:
'/etc/httpd/conf/server.crt':
ensure: present
mode: '0600'
owner: 'root'
group: 'root'
content: 'ENC[PKCS7{LOTS_OF_STRING_SKIPPED}UXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'
There is an online YAML parser at http://yaml-online-parser.appspot.com/ if you want to see the difference the indentation makes.
Found another solution.
Its was a problem with lookup and hashes. When I have multiply lines in hiera hash, I must specify them https://docs.puppet.com/puppet/4.5/function.html#lookup
So i decided use only 'content' variable to lookup
cat site.pp
$filecrt = lookup('files')
file { 'server.crt':
ensure => present,
path => '/etc/httpd/conf/server.crt',
content => $filecrt,
owner => 'root',
group => 'root',
mode => '0600',
}
and Hiera
---
files:'ENC[PKCS7{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'
My Puppet manifest looks like this
$abrt_config = [ 'abrt.conf','abrt-action-save-package-data.conf' ]
file { $abrt_config:
ensure => present,
path => "/etc/abrt/${abrt_config}",
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/abrt/${abrt_config}",
}
My config files are located in the following path.
/abrt/files/abrt.conf
/abrt/files/abrt-action-save-package-data.conf
I'm getting the following error when executing puppet on client nodes.
Error: /Stage[main]/Abrt/File[/etc/abrt/abrt-action-save-package-data.conf]: Could not evaluate: Could not retrieve information from environment development source(s) puppet:///modules/abrt//etc/abrt/abrt.conf/etc/abrt/abrt-action-save-package-data.conf
Error: /Stage[main]/Abrt/File[/etc/abrt/abrt.conf]: Could not evaluate: Could not retrieve information from environment development source(s) puppet:///modules/abrt//etc/abrt/abrt.conf/etc/abrt/abrt-action-save-package-data.conf
You cannot implicitly convert an array to a string in the source attribute like that and expect desired behavior.
If you are using a non-obsolete version of Puppet, then you can use a lambda iterator to solve this problem in the following way:
['abrt.conf', 'abrt-action-save-package-data.conf'].each |$abrt_config| {
file { $abrt_config:
ensure => present,
path => "/etc/abrt/${abrt_config}",
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/abrt/${abrt_config}",
}
}
Check the documentation here for more details: https://docs.puppet.com/puppet/4.8/function.html#each
I am new to node applications deployment, I am using flightplan.js for automated deployments, however in most of the documents I have seen it is only about password less deployments where a user's key is added to server, I want to set up the target where I can specify the location of pem file in order to login to the server, is there a way to do that? right now the target looks like this
plan.target('staging', [
{
host: 'xxx.xxx.xxx',
username: username,
agent: process.env.SSH_AUTH_SOCK
}
]);
I would like to have something where I can pass the pem file path as well, something like this
plan.target('staging', [
{
host: 'xxx.xxx.xxx',
username: username,
key: PATH_TO_KEY
agent: process.env.SSH_AUTH_SOCK
}
]);
You can add your pem files like this,
plan.target('staging', [
{
host: 'xxx.xxx.xxx',
username: username,
privateKey: 'path/to/file/key.pem',
agent: process.env.SSH_AUTH_SOCK
}
]);