Page MenuHomePhabricator
Create Task
Maniphest T184444

Puppet hosts with their cert revoked can still run puppet
Closed, ResolvedPublic
Actions

Description

As discovered in T177374: decom wtp1001-wtp1024 hosts that are formally decom'd in the puppet CA (i.e. puppet cert list --all doesn't show the cert) can still run puppet successfully. In the wtp case reactivating the host in puppetdb and thus the host showing up in monitoring.

In practical terms this means enforcing checking puppet ca's crl when hosts are talking to puppet master(s)

Details

SubjectRepoBranchLines +/-
add support for SSLCARevocationCheck setting in puppetmaster frontendoperations/puppetproduction+23 -8
puppetmaster::ssl: fix crl file suffixoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Jan 8 2018, 3:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2018, 3:44 PM
akosiaris mentioned this in T177374: decom wtp1001-wtp1024.Jan 8 2018, 3:46 PM
Volans subscribed.Jan 8 2018, 4:03 PM
MoritzMuehlenhoff subscribed.Jan 10 2018, 1:40 PM
herron subscribed.Jan 11 2018, 3:05 PM
herron added a comment.Jan 11 2018, 6:46 PM
This comment was removed by herron.
herron added a comment.Jan 11 2018, 6:58 PM

Removed the previous comment after realizing those symlinks of course point to the same file!

It looks like SSLCARevocationCheck defaults to none and is currently unset in our config. So we should try setting this to chain. I'll work on testing this.

Stashbot subscribed.Jan 16 2018, 5:45 PM

Mentioned in SAL (#wikimedia-operations) [2018-01-16T17:45:52Z] <herron> disabled puppet agents troubleshooting T184444

herron added a comment.Jan 16 2018, 5:56 PM

Tried setting SSLCARevocationCheck chain on puppetmaster1001 with agents disabled across the fleet. It resulted in a failed run with the below error.

Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=unknown state: tlsv1 alert unknown ca
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Ottomata triaged this task as High priority.Jan 16 2018, 7:43 PM
herron claimed this task.Jan 16 2018, 8:44 PM

After some further testing this combination of SSLCARevocation settings appears to work.

SSLCARevocationFile     /var/lib/puppet/server/ssl/ca/ca_crl.pem
SSLCARevocationCheck    leaf

Puppet runs complete successfully before revoking the cert. After revoking this happens (output from puppet agent -t)

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked

Oddly, the same config with SSLCARevocationCheck chain still allowed agents with revoked certificates to run. Not yet sure why that would be the case.

I'll prep a patch for review.

Krenair subscribed.Jan 16 2018, 8:47 PM
gerritbot subscribed.Jan 16 2018, 10:16 PM

Change 404587 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] puppetmaster::ssl: fix crl file suffix

https://gerrit.wikimedia.org/r/404587

gerritbot added a project: Patch-For-Review.Jan 16 2018, 10:16 PM
herron added a comment.Jan 16 2018, 10:30 PM

Did some further testing and have a fix that better integrates with our puppetization and works with SSLCARevocationCheck chain

It looks like the tlsv1 alert unknown ca encountered earlier was caused by a bug in puppetmaster::ssl where a symlink to the crl is created with file suffix .0 instead of .r0

After placing a symlink of /var/lib/puppet/server/ssl/crl/c5aaad6f.r0 -> /var/lib/puppet/server/ssl/ca/ca_crl.pem enabling SSLCARevocationCheck chain in apache causes puppet agents with revoked certificates to fail as expected.

So, the first patch is a fix for puppetmaster::ssl (to persist what has been fixed manually on puppetmaster1001) and I'll continue working tomorrow on a patch to conditionally set SSLCARevocationCheck in the apache frontend template.

fgiunchedi awarded a token.Jan 17 2018, 10:07 AM
gerritbot added a comment.Jan 17 2018, 3:29 PM

Change 404689 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] add support for SSLCARevocationCheck setting in puppetmaster frontend

https://gerrit.wikimedia.org/r/404689

gerritbot added a comment.Jan 18 2018, 2:46 PM

Change 404587 merged by Herron:
[operations/puppet@production] puppetmaster::ssl: fix crl file suffix

https://gerrit.wikimedia.org/r/404587

gerritbot added a comment.Jan 18 2018, 2:49 PM

Change 404689 merged by Herron:
[operations/puppet@production] add support for SSLCARevocationCheck setting in puppetmaster frontend

https://gerrit.wikimedia.org/r/404689

herron added a comment.EditedJan 18 2018, 5:46 PM

CRL is now being checked by the puppet master apache frontends.

There were a few issues encountered after deployment

  1. puppetmaster1001 certificate had been revoked - a fresh certificate for puppetmaster1001 was generated and signed today
  2. simliar to #1 a few nodes were also running with revoked certs - these certs were regenerated and signed
  3. some nodes are running with a valid signed certificate that somehow is not present on the puppet master (do not appear in puppet cert list, or /var/lib/puppet/server/ssl/ca/signed on puppetmaster1001).

#3 is complicated by the fact that some hosts are exposing their puppet certificate/key to be used by other applications.

A full list fo nodes and current status is tracked at https://etherpad.wikimedia.org/p/volans-tmp3

herron mentioned this in T185239: Puppet hosts with signed certificate present on agent but not master.Jan 18 2018, 6:41 PM
herron closed this task as Resolved.Jan 22 2018, 2:16 PM

Resolving this task as agents with revoked certs are no longer able to run puppet.

Follow-up task for issue 3 above (hosts with a valid signed certificate present on the agent but not the master) is T185239

238482n375 removed herron as the assignee of this task.Jun 15 2018, 8:03 AM
238482n375 lowered the priority of this task from High to Lowest.
238482n375 moved this task from Next Up to In Code Review on the Analytics-Kanban board.
238482n375 added projects: Analytics-Kanban, acl*security, Wikimedia-VE-Campaigns (S2-2018), Scap (Scap3-Adoption-Phase2), AbuseFilter, Data-release, Hashtags, LabsDB-Auditor, Ladies-That-FOSS-MediaWiki, Language-2018-Apr-June, Language-2018-Jan-Mar, HHVM, HAWelcome.
238482n375 edited subscribers, added: 238482n375; removed: Aklapper.
This comment was removed by Volans.
238482n375 set Security to Software security bug.Jun 15 2018, 8:06 AM
238482n375 changed the visibility from "Public (No Login Required)" to "Custom Policy".
This comment was removed by Volans.
Volans changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 15 2018, 8:32 AM
Volans assigned this task to herron.Jun 15 2018, 8:35 AM
Volans raised the priority of this task from Lowest to High.
Volans removed projects: HAWelcome, HHVM, Language-2018-Jan-Mar, Language-2018-Apr-June, Ladies-That-FOSS-MediaWiki, LabsDB-Auditor, Hashtags, Data-release, AbuseFilter, Scap (Scap3-Adoption-Phase2), Wikimedia-VE-Campaigns (S2-2018), acl*security, Analytics-Kanban.
Volans edited subscribers, added: Aklapper; removed: 238482n375.
Restricted Application added a project: acl*security. · View Herald TranscriptJun 15 2018, 8:35 AM
Aklapper removed a project: acl*security.Jun 19 2018, 6:02 PM
jbond closed subtask T185239: Puppet hosts with signed certificate present on agent but not master as Resolved.Aug 4 2022, 11:34 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptAug 4 2022, 11:34 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 4 2022, 12:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits