Maniphest T270269

PKI server don't reimage cleanly
Open, LowPublic
Actions

Assigned To

None

Authored By

	jbond
	Dec 16 2020, 12:06 PM

Tags

Referenced Files

None

Subscribers

Description

Currently the PKI servers make use of puppet config dns_alt name which means that they are unable to rebuild image without manual intervention.

To enable tis we need to first configure the puppetserver CA daemon to support DNS alt names. this is done by adding allow-subject-alt-names: true to /etc/puppet/puppetserver/conf.d/ca.conf, restarting puppetserver and then finally sign the cert.

We should consider enabling this setting permanently

Event Timeline

jbond triaged this task as Medium priority.Dec 16 2020, 12:06 PM

jbond created this task.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2020, 12:06 PM

jbond moved this task from Unsorted 💣 to Back Burner 🏛️ on the User-jbond board.May 27 2021, 4:39 PM

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM

joanna_borun lowered the priority of this task from Medium to Low.Jun 12 2023, 2:58 PM

joanna_borun edited projects, added CFSSL-PKI; removed SRE-tools.

jbond updated the task description. (Show Details)Nov 7 2023, 2:31 PM