Page MenuHomePhabricator

Puppet hosts with signed certificate present on agent but not master
Closed, ResolvedPublic


After deploying the Apache CRL check setting to address T184444 several hosts have been found in an unusual state where:

  • a signed certificate is present on the agent/server and...
  • the certificate has not been revoked but...
  • the signed certificate is not present on the puppet master

Normally this could be addressed simply by generating and signing new certificates, but this is complicated by the fact that systems are exposing (via base::expose_puppet_certs) their puppet certificates for use in other applications.

Below are systems exposing their puppet cert/key for use in other applications. Let's review each for impact and potential issues before proceeding with generating/signing new puppet certs.

(check off after new puppet cert has been generated and signed)

  • cp1052.eqiad.wmnet - decommissioned T208584
  • es2014.codfw.wmnet - decommissioned T262889
  • ganeti2001.codfw.wmnet
  • ms-be2021.codfw.wmnet - decommissioned T272837
  • mw2105.codfw.wmnet - decommissioned (cant find task)
  • mw2121.codfw.wmnet - decommissioned T189111
  • mw2131.codfw.wmnet - decommissioned T189111
  • mw2132.codfw.wmnet - decommissioned T189111
  • mw2144.codfw.wmnet - decommissioned T261524
  • mw2191.codfw.wmnet - decommissioned T261524
  • mw2193.codfw.wmnet - decommissioned T261524
  • mw2206.codfw.wmnet - decommissioned T261524
  • mw2229.codfw.wmnet - decommissioned T277119
  • mw2231.codfw.wmnet - decommissioned T277119
  • mw2240.codfw.wmnet - decommissioned T277119
  • rdb2002.codfw.wmnet - decommissioned T209425
  • wtp2005.codfw.wmnet
  • wtp2020.codfw.wmnet

Event Timeline

herron triaged this task as Medium priority.Jan 18 2018, 6:41 PM
herron created this task.
ema moved this task from Backlog to General on the Traffic board.

ganeti2001, wtp2005, wtp2020 only use that cert for rsyslog and not for any service so we can refresh the puppet certs for them whenever we want

Thanks @akosiaris! ganeti2001, wtp2005, wtp2020 puppet certs have been refreshed.

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

BBlack removed a project: Traffic.
BBlack added a subscriber: BBlack.

lvs100[789] don't exist anymore, removing Traffic from this.

jbond claimed this task.
jbond updated the task description. (Show Details)
jbond added a subscriber: jbond.

Closing all servers listed have been decomissioned