There are currently some problems with our (self signed) TLS cert for Hadoop/Presto/etc..:
- the creator of the certs (yours truly) didn't use correctly cergen in the Puppet private repo, since dedicated directories were created. The main problem is that people trying to use cergen in the base directory of all the certs get warnings about some of them being absent. I tried to move them away from their dedicated location to another one, but this requires also changing the name of the dedicated self signed CA from root_ca to something-hadoop/presto-root_ca for example, that is not a idempotent change. The name of the CA in the cergen yaml file is used in the CA cert itself, so this might be problematic if we want to regenerate some files (tried and failed). We could simply think about creating new certs, deploy them and deprecate the old ones.
- the CA's cert expiry is October 2020, we need to regenerate it to something longer that this. We could simply sto Yarn/Presto for a moment, regenerate all the certs, and deploy them. Important note is that puppet paths need to be changed probably, better to triple check.