Page MenuHomePhabricator
Create Task
Maniphest T250483

Puppet certificate discrepancies
Closed, DuplicatePublic
Actions

Description

Debugging a totally unrelated issue I noticed that there was at least one puppet certificate still signed on the puppetmaster for a host that have been decommissioned.
I then decided to compare the list of certs with the PuppetDB one and this is the result:

Hosts that don't have a signed certificate on Puppetmaster but they are Active in Netbox and Puppet runs just fine

Those should have a new cert recreated and signed

db1105.eqiad.wmnet
ms-be2021.codfw.wmnet
mw2320.codfw.wmnet
mw2321.codfw.wmnet
Hosts that have a signed certificate on Puppetmaster but were decommissioned

Those should be cleanup without any problem AFAICT

db2051.codfw.wmnet
db2057.codfw.wmnet
db2063.codfw.wmnet
dbstore2001.codfw.wmnet
kafka2001.codfw.wmnet
kafka2002.codfw.wmnet
kafka2003.codfw.wmnet
kafka1001.eqiad.wmnet
kafka1002.eqiad.wmnet
kafka1003.eqiad.wmnet
mw1259.eqiad.wmnet
mw1260.eqiad.wmnet
orespoolcounter1002.eqiad.wmnet
restbase-test2003.codfw.wmnet

For reference, a similar effort made in the past: T185239

Related Objects

Event Timeline

Volans triaged this task as Medium priority.Apr 17 2020, 1:10 PM
Volans created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2020, 1:10 PM
jbond added a comment.Apr 17 2020, 1:22 PM

As far as i can tell the signed certs are not in the CRL either

$ for host in $(<certs.txt) ; do serial=$(sudo openssl x509 -in /var/lib/puppet/server/ssl/ca/signed/${host}.pem -noout -serial | awk -F= '{print $NF}') ; printf "%s: %s\n" "${host}" "${serial}" ;  openssl crl -in /var/lib/puppet/server/ssl/ca/ca_crl.pem -text -noout | grep -A4 ${serial} || echo "not in CRL" ;  done
db2051.codfw.wmnet: 1423
not in CRL
db2057.codfw.wmnet: 12ED
not in CRL
db2063.codfw.wmnet: 14A7
not in CRL
dbstore2001.codfw.wmnet: 0C5C
not in CRL
kafka2001.codfw.wmnet: 0F3B
not in CRL
kafka2002.codfw.wmnet: 0F4E
not in CRL
kafka2003.codfw.wmnet: 0F50
not in CRL
kafka1001.eqiad.wmnet: 0F52
not in CRL
kafka1002.eqiad.wmnet: 0F53
not in CRL
kafka1003.eqiad.wmnet: 0F54
not in CRL
mw1259.eqiad.wmnet: 0D4B
not in CRL
mw1260.eqiad.wmnet: 0D57
not in CRL
orespoolcounter1002.eqiad.wmnet: 1224
not in CRL
restbase-test2003.codfw.wmnet: 052F
not in CRL
jbond added a comment.EditedApr 17 2020, 1:40 PM

I double checked db1105.eqiad.wmnet and i see that even though the certificate is not in the /var/lib/puppet/server/ssl/ca/signed folder, it does have the correct entry in /var/lib/puppet/server/ssl/ca/inventory.txt

puppetmaster1001
$ grep db1105 /var/lib/puppet/server/ssl/ca/inventory.txt 
0x0c2b 2017-07-11T06:01:13UTC 2022-07-11T06:01:13UTC /CN=db1105.eqiad.wmnet
0x0d1a 2017-11-06T14:00:17UTC 2022-11-06T14:00:17UTC /CN=db1105.eqiad.wmnet
db1105
$ openssl x509 -in /var/lib/puppet/ssl/certs/db1105.eqiad.wmnet.pem -noout -subject -issuer  -dates -serial
subject=CN = db1105.eqiad.wmnet
issuer=CN = Puppet CA: palladium.eqiad.wmnet
notBefore=Nov  6 14:00:17 2017 GMT
notAfter=Nov  6 14:00:17 2022 GMT
serial=0D1A
jbond closed this task as a duplicate of T314564: remove old puppet certificates from puppet master.Aug 4 2022, 11:16 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits