Update puppetmaster1001 puppet certificate
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	herron
	Nov 9 2017, 8:52 PM

Description

The puppetmaster1001.eqiad.wmnet puppet certificate was revoked some time ago for an unknown reason. An updated certificate needs to be created very carefully.

Related Objects
Search...

Status	Assigned	Task
Resolved	aborrero	T178717 Upgrade wmcs instances and masters to puppet 4.8
Resolved	None	T177254 Upgrade to puppet 4 (4.8 or newer)
Resolved	herron	T180167 Update puppetmaster1001 puppet certificate

Event Timeline

herron created this task.Nov 9 2017, 8:52 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 9 2017, 8:52 PM

Paladox subscribed.Nov 9 2017, 8:53 PM

herron mentioned this in T179099: puppetmaster hostcert and hostprivkey point to nonexistent files.Nov 9 2017, 8:53 PM

herron added a parent task: T177254: Upgrade to puppet 4 (4.8 or newer).

Puppetmaster1001 is not only a puppet master but the ca server so we need to be very cautious.

Typically recreating an agent cert is along these lines:

on agent: puppet agent --disable "regenerating cert"
on agent: mv /var/lib/puppet/ssl /var/lib/puppet/ssl.orig
on master: puppet cert clean fqdn_of_agent
on agent: puppet agent --enable
on agent: puppet agent -t
on master: puppet cert sign fqdn_of_agent

However, on puppetmaster1001 there are additional private keys in /var/lib/puppet/ssl/private_keys as well as the /var/lib/puppet/ssl/certs/puppet.pem cert, so we need to be more precise and move only the revoked cert aside. It's also both the agent and master in this case. So something like this (all commands on puppetmaster1001)

puppet agent --disable "regenerating cert"
cp -a /var/lib/puppet/ssl /var/lib/puppet/ssl.bak-$date
cp -a /var/lib/puppet/server /var/lib/puppet/server.bak-$date (paranoia)
mv /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/ca.pem.bak-$date
mv /var/lib/puppet/ssl/certs/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/certs/puppetmaster1001.eqiad.wmnet.pem.bak-$date
mv /var/lib/puppet/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem.bak-$date
mv /var/lib/puppet/ssl/public_keys/puppetmaster1001.eqiad.wmnet.pem /var/lib/puppet/ssl/public_keys/puppetmaster1001.eqiad.wmnet.pem.bak-$date
puppet cert clean puppetmaster1001.eqiad.wmnet
puppet agent --enable
puppet agent -t
puppet cert sign puppetmaster1001.eqiad.wmnet

herron triaged this task as High priority.Nov 9 2017, 9:17 PM

herron added a subscriber: Joe.

To reduce risk I think we should tackle this after depooling the eqiad puppet masters for upgrades

done!

Update puppetmaster1001 puppet certificateClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Update puppetmaster1001 puppet certificate
Closed, ResolvedPublic
Actions

Related Objects
Search...