Page MenuHomePhabricator

Puppet hosts with signed certificate present on agent but not master
Open, MediumPublic

Description

After deploying the Apache CRL check setting to address T184444 several hosts have been found in an unusual state where:

  • a signed certificate is present on the agent/server and...
  • the certificate has not been revoked but...
  • the signed certificate is not present on the puppet master

Normally this could be addressed simply by generating and signing new certificates, but this is complicated by the fact that systems are exposing (via base::expose_puppet_certs) their puppet certificates for use in other applications.

Below are systems exposing their puppet cert/key for use in other applications. Let's review each for impact and potential issues before proceeding with generating/signing new puppet certs.

(check off after new puppet cert has been generated and signed)

  • cp1052.eqiad.wmnet
  • es2014.codfw.wmnet
  • ganeti2001.codfw.wmnet
  • ms-be2021.codfw.wmnet
  • mw2105.codfw.wmnet
  • mw2121.codfw.wmnet
  • mw2131.codfw.wmnet
  • mw2132.codfw.wmnet
  • mw2144.codfw.wmnet
  • mw2191.codfw.wmnet
  • mw2193.codfw.wmnet
  • mw2206.codfw.wmnet
  • mw2229.codfw.wmnet
  • mw2231.codfw.wmnet
  • mw2240.codfw.wmnet
  • rdb2002.codfw.wmnet
  • wtp2005.codfw.wmnet
  • wtp2020.codfw.wmnet

Event Timeline

herron triaged this task as Medium priority.Jan 18 2018, 6:41 PM
herron created this task.
herron updated the task description. (Show Details)Jan 18 2018, 6:44 PM
ema moved this task from Triage to General on the Traffic board.
herron updated the task description. (Show Details)Jan 22 2018, 2:06 PM

ganeti2001, wtp2005, wtp2020 only use that cert for rsyslog and not for any service so we can refresh the puppet certs for them whenever we want

herron updated the task description. (Show Details)Jan 22 2018, 8:29 PM

Thanks @akosiaris! ganeti2001, wtp2005, wtp2020 puppet certs have been refreshed.

herron added subscribers: ema, elukey.Feb 2 2018, 6:02 PM
Aklapper removed herron as the assignee of this task.Jun 19 2020, 4:19 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

BBlack updated the task description. (Show Details)Sep 29 2020, 8:49 PM
BBlack removed a project: Traffic.
BBlack added a subscriber: BBlack.

lvs100[789] don't exist anymore, removing Traffic from this.