We are using cergen to handle the TLS certificates installed on swift. The work being done in T204245 requires that we add swift.discovery.wmnet to the subjectAltName of both the eqiad and codfw certificates.
To do so, I've modified swift.certs.yaml as follows:
root@puppetmaster1001:/srv/private# git show eda03d0e72838e56a74b39d487405e19a790612b
commit eda03d0e72838e56a74b39d487405e19a790612b
Author: gitpuppet for private repo <git@puppetmaster1001.eqiad.wmnet>
Date: Wed Apr 10 09:26:35 2019 +0000
(ema) swift certs: add swift.discovery.wmnet to subjectAltName
Bug: T204245
diff --git a/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml b/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml
index 22d99a5..dba48f2 100644
--- a/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml
+++ b/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml
@@ -4,13 +4,13 @@
swift_eqiad:
authority: puppet_ca
expiry: null
- alt_names: [ms-fe.svc.eqiad.wmnet,swift.svc.eqiad.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,upload.wikimedia.org]
+ alt_names: [ms-fe.svc.eqiad.wmnet,swift.svc.eqiad.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,swift.discovery.wmnet,upload.wikimedia.org]
key:
algorithm: ec
swift_codfw:
authority: puppet_ca
expiry: null
- alt_names: [ms-fe.svc.codfw.wmnet,swift.svc.codfw.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,upload.wikimedia.org]
+ alt_names: [ms-fe.svc.codfw.wmnet,swift.svc.codfw.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,swift.discovery.wmnet,upload.wikimedia.org]
key:
algorithm: ecAccording to cergen's documentation: cergen will attempt to generate any files for certificates declared in its manifests that are not PRESENT. I thus have tried removing and recreating swift_codfw.crt.pem. That crashed cergen as follows:
root@puppetmaster1001:/srv/private# mv /srv/private/modules/secret/secrets/certificates/swift_codfw/swift_codfw.crt.pem /tmp/
root@puppetmaster1001:/srv/private# cergen --generate -c swift_codfw --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/
2019-04-10 09:59:38,334 INFO cergen Generating certificates ['swift_codfw'] with force=False
2019-04-10 09:59:38,334 INFO Certificate(swift_codfw) Generating all files, force=False...
2019-04-10 09:59:38,334 WARNING Key(swift_codfw) /srv/private/modules/secret/secrets/certificates/swift_codfw/swift_codfw.key.private.pem already exists, skipping key generation...
2019-04-10 09:59:38,334 INFO Certificate(swift_codfw) Generating certificate file
/usr/lib/python3/dist-packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
2019-04-10 09:59:38,398 WARNING PuppetCA(puppetmaster1001.eqiad.wmnet_8140) CSR for swift_codfw to puppetmaster1001.eqiad.wmnet_8140 has already been submitted and signed. Not submitting again.
Traceback (most recent call last):
File "/usr/bin/cergen", line 11, in <module>
load_entry_point('cergen==0.2.3', 'console_scripts', 'cergen')()
File "/usr/lib/python3/dist-packages/cergen/main.py", line 93, in main
certificate.generate(force=args['--force'])
File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 291, in generate
self.generate_crt(force=force)
File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 330, in generate_crt
f.write(self.cert.public_bytes(serialization.Encoding.PEM))
AttributeError: 'NoneType' object has no attribute 'public_bytes'Running cergen --force also produces the same crash:
root@puppetmaster1001:/srv/private# cergen --generate --force -c swift_codfw --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/
2019-04-10 10:03:01,278 INFO cergen Generating certificates ['swift_codfw'] with force=True
2019-04-10 10:03:01,278 INFO Certificate(swift_codfw) Generating all files, force=True...
2019-04-10 10:03:01,279 INFO Certificate(swift_codfw) Generating certificate file
/usr/lib/python3/dist-packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
2019-04-10 10:03:01,340 WARNING PuppetCA(puppetmaster1001.eqiad.wmnet_8140) CSR for swift_codfw to puppetmaster1001.eqiad.wmnet_8140 has already been submitted and signed. Not submitting again.
Traceback (most recent call last):
File "/usr/bin/cergen", line 11, in <module>
load_entry_point('cergen==0.2.3', 'console_scripts', 'cergen')()
File "/usr/lib/python3/dist-packages/cergen/main.py", line 93, in main
certificate.generate(force=args['--force'])
File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 291, in generate
self.generate_crt(force=force)
File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 330, in generate_crt
f.write(self.cert.public_bytes(serialization.Encoding.PEM))
AttributeError: 'NoneType' object has no attribute 'public_bytes'Just before the exception, cergen logs a warning saying that a signing request for swift_codfw has been submitted already, so that might be a reason for the crashes?
I think that:
- this use case should be documented
- cergen shouldn't throw an exception