I don't understand how to solve chicken or the egg problem when automating the installation of the servers.
I have a series of servers which can be rebuilt through PXE. When a machine is being rebuilt, it loads all the settings it needs—including its private certificate it will use to authenticate itself when using different services later on—from an Apache server. This Apache server identifies the clients by their IP addresses in order to either serve them the configuration or the certificate intended for a given server, or refuse to serve it.
However, the IP address of a client could be spoofed. Same for MAC address, if at some point I add this sort of verification too.
In order to grab its configuration and its private certificate safely, the machine which boots through PXE should therefore already have a certificate that it could use when communicating with Apache server. This, however, doesn't look possible, as a machine which boots from PXE is either fresh new, or will format its disk anyway during the installation.
Am I missing something? How can I identify a fresh new machine without the risk of spoofing?
Should I use an always connected USB key which contains the private key? Or are there other options?
We use the foreman's bootdisk plugin for this purpose. I do not imply it's the correct or unique way, it's what we use successfully.
Everytime a host needs to be (re)provisioned, a short lived token gets generated and it's kept on the database coupled to the host. This token goes into an iso file with the ipxe binary and a script that downloads the kicstart file from the provisioning host only if it offers the right token as identifier. Once the host is provisioned, the token gets deleted. After a specific (tunable, out of the top of my head defaults to 60 minutes) the token is invalidated.
This works with both bios as uefi firmware, and no need for pxe, just http(s) so you could really have internet deployments with few modifications (handy for deploying hardware on remote locations).