Page MenuHomePhabricator
Create Task
Maniphest T150823

Puppet CA rollover
Closed, InvalidPublic
Actions

Description

We'll need to rollover the Puppet CA mostly to switch to 2k certs and unblock general usage of host certs for high traffic applications. Open questions:

  • is there a smarter way for CA rollover and how to do it?
  • details needed on how puppet manages the CA
  • puppet management of the CA, how much is it embedded?
  • can puppet generate/add SANs

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Nov 16 2016, 1:27 AM
fgiunchedi created this object with visibility "Custom Policy".
fgiunchedi changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 23 2016, 5:03 PM
Krenair subscribed.Nov 23 2016, 5:09 PM

Be wary of T150058 and Elastic's use of this CA

Volans subscribed.Nov 25 2016, 9:46 AM

And also of T111654 for MariaDB's usage of this CA. Adding DBA

Joe subscribed.Nov 25 2016, 9:56 AM

There are other systems using this CA, namely etcd.

I would suggest the right course of action for all apps is:

  1. create a new CA key/cert
  2. Install it as a trusted CA on all live systems
  3. Audit how applications use the puppet cert, most will just need a rolling restart once we're done
  4. Do the CA rollout for puppet. We did this in the past, details on how it was done here https://wikitech.wikimedia.org/wiki/Puppet_CA_replacement but I think there are simpler ways to do it
  5. Once puppet has run everywhere, new signed certs will be available; we should check which applications will need a restart and which will not. Since both the old and the new CA will be trusted, nothing should stop working.
  6. Remove the old CA once we're done
fgiunchedi added a comment.Nov 29 2016, 11:55 PM

Also re: the rollover, we should switch to deploying multiple CA certificates. This would also avoid refresh problems during rollover (e.g. /etc/ssl/certs not being updated in T150058 and T145609)

fgiunchedi mentioned this in T150058: update-ca-certificates, run via puppets sslcert module, doesn't update symlinks to replaced certificates.Nov 29 2016, 11:55 PM
fgiunchedi mentioned this in T145609: Puppet sslcert::ca does not refresh the certificate symlinks when a .crt is updated.
fgiunchedi triaged this task as Medium priority.Nov 30 2016, 1:15 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:56 PM
fgiunchedi closed this task as Invalid.Apr 29 2022, 12:40 PM

IIRC we did a "rollover" (extend certificate expiration, keeping the private key) for puppet CA, resolving this old task

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL