We are using cergen to handle the TLS certificates installed on swift. The work being done in T204245 requires that we add swift.discovery.wmnet to the subjectAltName of both the eqiad and codfw certificates.
To do so, I've modified swift.certs.yaml as follows:
root@puppetmaster1001:/srv/private# git show eda03d0e72838e56a74b39d487405e19a790612b commit eda03d0e72838e56a74b39d487405e19a790612b Author: gitpuppet for private repo <git@puppetmaster1001.eqiad.wmnet> Date: Wed Apr 10 09:26:35 2019 +0000 (ema) swift certs: add swift.discovery.wmnet to subjectAltName Bug: T204245 diff --git a/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml b/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml index 22d99a5..dba48f2 100644 --- a/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml +++ b/modules/secret/secrets/certificates/certificate.manifests.d/swift.certs.yaml @@ -4,13 +4,13 @@ swift_eqiad: authority: puppet_ca expiry: null - alt_names: [ms-fe.svc.eqiad.wmnet,swift.svc.eqiad.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,upload.wikimedia.org] + alt_names: [ms-fe.svc.eqiad.wmnet,swift.svc.eqiad.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,swift.discovery.wmnet,upload.wikimedia.org] key: algorithm: ec swift_codfw: authority: puppet_ca expiry: null - alt_names: [ms-fe.svc.codfw.wmnet,swift.svc.codfw.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,upload.wikimedia.org] + alt_names: [ms-fe.svc.codfw.wmnet,swift.svc.codfw.wmnet,swift-ro.discovery.wmnet,swift-rw.discovery.wmnet,swift.discovery.wmnet,upload.wikimedia.org] key: algorithm: ec
According to cergen's documentation: cergen will attempt to generate any files for certificates declared in its manifests that are not PRESENT. I thus have tried removing and recreating swift_codfw.crt.pem. That crashed cergen as follows:
root@puppetmaster1001:/srv/private# mv /srv/private/modules/secret/secrets/certificates/swift_codfw/swift_codfw.crt.pem /tmp/ root@puppetmaster1001:/srv/private# cergen --generate -c swift_codfw --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/ 2019-04-10 09:59:38,334 INFO cergen Generating certificates ['swift_codfw'] with force=False 2019-04-10 09:59:38,334 INFO Certificate(swift_codfw) Generating all files, force=False... 2019-04-10 09:59:38,334 WARNING Key(swift_codfw) /srv/private/modules/secret/secrets/certificates/swift_codfw/swift_codfw.key.private.pem already exists, skipping key generation... 2019-04-10 09:59:38,334 INFO Certificate(swift_codfw) Generating certificate file /usr/lib/python3/dist-packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning 2019-04-10 09:59:38,398 WARNING PuppetCA(puppetmaster1001.eqiad.wmnet_8140) CSR for swift_codfw to puppetmaster1001.eqiad.wmnet_8140 has already been submitted and signed. Not submitting again. Traceback (most recent call last): File "/usr/bin/cergen", line 11, in <module> load_entry_point('cergen==0.2.3', 'console_scripts', 'cergen')() File "/usr/lib/python3/dist-packages/cergen/main.py", line 93, in main certificate.generate(force=args['--force']) File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 291, in generate self.generate_crt(force=force) File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 330, in generate_crt f.write(self.cert.public_bytes(serialization.Encoding.PEM)) AttributeError: 'NoneType' object has no attribute 'public_bytes'
Running cergen --force also produces the same crash:
root@puppetmaster1001:/srv/private# cergen --generate --force -c swift_codfw --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/ 2019-04-10 10:03:01,278 INFO cergen Generating certificates ['swift_codfw'] with force=True 2019-04-10 10:03:01,278 INFO Certificate(swift_codfw) Generating all files, force=True... 2019-04-10 10:03:01,279 INFO Certificate(swift_codfw) Generating certificate file /usr/lib/python3/dist-packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning 2019-04-10 10:03:01,340 WARNING PuppetCA(puppetmaster1001.eqiad.wmnet_8140) CSR for swift_codfw to puppetmaster1001.eqiad.wmnet_8140 has already been submitted and signed. Not submitting again. Traceback (most recent call last): File "/usr/bin/cergen", line 11, in <module> load_entry_point('cergen==0.2.3', 'console_scripts', 'cergen')() File "/usr/lib/python3/dist-packages/cergen/main.py", line 93, in main certificate.generate(force=args['--force']) File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 291, in generate self.generate_crt(force=force) File "/usr/lib/python3/dist-packages/cergen/certificate.py", line 330, in generate_crt f.write(self.cert.public_bytes(serialization.Encoding.PEM)) AttributeError: 'NoneType' object has no attribute 'public_bytes'
Just before the exception, cergen logs a warning saying that a signing request for swift_codfw has been submitted already, so that might be a reason for the crashes?
I think that:
- this use case should be documented
- cergen shouldn't throw an exception