The puppetmaster1001.eqiad.wmnet puppet certificate was revoked some time ago for an unknown reason. An updated certificate needs to be created very carefully.
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | aborrero | T178717 Upgrade wmcs instances and masters to puppet 4.8 | |||
Resolved | None | T177254 Upgrade to puppet 4 (4.8 or newer) | |||
Resolved | herron | T180167 Update puppetmaster1001 puppet certificate |
Event Timeline
Comment Actions
Puppetmaster1001 is not only a puppet master but the ca server so we need to be very cautious.
Typically recreating an agent cert is along these lines:
- on agent: puppet agent --disable "regenerating cert"
- on agent: mv /var/lib/puppet/ssl /var/lib/puppet/ssl.orig
- on master: puppet cert clean fqdn_of_agent
- on agent: puppet agent --enable
- on agent: puppet agent -t
- on master: puppet cert sign fqdn_of_agent
However, on puppetmaster1001 there are additional private keys in /var/lib/puppet/ssl/private_keys as well as the /var/lib/puppet/ssl/certs/puppet.pem cert, so we need to be more precise and move only the revoked cert aside. It's also both the agent and master in this case. So something like this (all commands on puppetmaster1001)
- puppet agent --disable "regenerating cert"
- cp -a /var/lib/puppet/ssl /var/lib/puppet/ssl.bak-$date
- cp -a /var/lib/puppet/server /var/lib/puppet/server.bak-$date (paranoia)
- mv /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/ca.pem.bak-$date
- mv /var/lib/puppet/ssl/certs/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/certs/puppetmaster1001.eqiad.wmnet.pem.bak-$date
- mv /var/lib/puppet/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem.bak-$date
- mv /var/lib/puppet/ssl/public_keys/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/public_keys/puppetmaster1001.eqiad.wmnet.pem.bak-$date
- puppet cert clean puppetmaster1001.eqiad.wmnet
- puppet agent --enable
- puppet agent -t
- puppet cert sign puppetmaster1001.eqiad.wmnet
Comment Actions
To reduce risk I think we should tackle this after depooling the eqiad puppet masters for upgrades