Bug #5346
puppetca doc error
| Status: | Closed | Start date: | 11/17/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nigel Kersten |
% Done: | 0% |
|
| Category: | SSL | |||
| Target version: | - | |||
| Affected Puppet version: | 2.6.3 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
the puppetca man page needs updating to include the new —clean behavior of revoking cert.
2.6.3 revokes w/ the —clean option
$ puppetca --clean server.puppetlabs.com
notice: Revoked certificate with serial 260
notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at '/var/lib/puppet/ssl/ca/signed/server.puppetlabs.com.pem'
notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at '/var/lib/puppet/ssl/certs/server.puppetlabs.com.pem'
The puppetca man page states
This is useful when rebuilding hosts, since new
certificate signing requests will only be honored if puppet
cert does not have a copy of a signed certificate for that
host. The certificate of the host remains valid.
PS> I prefer the old behavior. The —revoke option should not be implied w/ —clean.
History
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Needs Decision
- Assignee set to Nigel Kersten
Updated by Nigel Kersten over 1 year ago
- Status changed from Needs Decision to Needs More Information
Ben, can you help us out here and outline the exact use case that this behavior change affects for you?
Updated by Ben - over 1 year ago
The behavior of puppetca —clean prior to 2.6 was to only remove previously signed certificates for the provided host which allowed a new request with the same name to be signed without interfering with the original host. As the man page currently states this is very useful when u need to rebuild a host in a staging or lab environment prior to actually replacing the original.
e.g. if u have a server on the other side of the country that needs replacing, for say hardware issues, you can disable puppet on the remote server, clean its cert on the master, build the new replacement in the lab, pack and send the replacement, re-enable puppet on the original to maintain the server while the replacement travels and when the actual replacement is installed it takes over where the original left off. i use this method quite often.
with this change i now have to manually remove the certificate from the master. rm -f /var/lib/puppet/ssl/ca/signed/fqdn.pem
no dig deal and something i can live with but not as convenient.
actually, neither of the above is ideal cause once the faulty original server has been replaced the cert should be revoked, especially in my case cause the puppet certs are also used for other things like VPN, but with the cert deleted u have nothing to refer to in order to revoke it. i guest the ideal would be to be able to clean and later revoke. maybe clean, or a new move option, could move the cert aside to another location to allow it to be revoked later.
in any case, the puppetca man page is currently wrong based on the behavior of 2.6 and needs to be changed.
it should now read something like:
clean: Revokes host certificate and removes all files related to a host from puppet cert's storage. Once cleaned the issued certificate is no longer valid and all connection attempts will be denied. As with the revoke option the puppet master needs to be restarted to take effect.
Updated by Nigel Kersten over 1 year ago
- Status changed from Needs More Information to Accepted
I’ll track down why we made this change, but it does seem clear we’ve lost functionality that people will require.
Updated by James Turnbull over 1 year ago
- Category set to SSL
- Target version set to 2.6.5
Updated by Nigel Kersten over 1 year ago
- Assignee deleted (
Nigel Kersten)
Updated by Nigel Kersten over 1 year ago
- Target version changed from 2.6.5 to 2.6.x
Updated by James Turnbull over 1 year ago
- Target version changed from 2.6.x to 2.6.6
Updated by Nick Fagerlund about 1 year ago
FYI, the help text was updated to match reality in commit:9b74968a42d9a6e53bc61f7e8e17822316d557e8.
Updated by James Turnbull about 1 year ago
- Target version changed from 2.6.6 to 2.6.x
Updated by Nigel Kersten about 1 year ago
- Status changed from Accepted to Closed
Actually Ben, I’m going to reject this. You have a workaround for your use case, and cleaning without revoking has caused a bunch of other confusion.
Updated by James Turnbull about 1 year ago
- Target version deleted (
2.6.x)
Updated by Lance Reed about 1 year ago
- Status changed from Closed to Re-opened
so apologizes if I am being dense, but is the solution here really to do a manual delete of the signed cert file on a master if we need to rebuild / replace a host. This is something we do ALL the time. we are running into serious confusion regarding puppetca -clean -revoke and crl files blocking when a host is rebuilt. Is there a documented procedure to correctly rebuild hosts using the same name etc. I even have the crl up commented out in my passenger configs and this is causing problems.
Updated by James Turnbull 7 months ago
- Status changed from Re-opened to Needs Decision
- Assignee set to Nigel Kersten
One more for the road Nigel?
Updated by Nigel Kersten 6 months ago
- Status changed from Needs Decision to Closed
Lance Reed wrote:
so apologizes if I am being dense, but is the solution here really to do a manual delete of the signed cert file on a master if we need to rebuild / replace a host. This is something we do ALL the time. we are running into serious confusion regarding puppetca -clean -revoke and crl files blocking when a host is rebuilt. Is there a documented procedure to correctly rebuild hosts using the same name etc. I even have the crl up commented out in my passenger configs and this is causing problems.
Lance, as described this doesn’t make sense to me.
- Request cert for host
myhost. - Clean that cert, (which revokes it by serial number)
- Request a new cert for host
myhost. - This has a new serial, and shouldn’t clash with the revoked one.
I’d need to see more info about this, as on the face of it it doesn’t make sense, revocation is by serial number, not by certificate name.