Issue #5346 has been updated by Ben -.
The behavior of puppetca --clean prior to 2.6 was to only remove previously
signed certificates for the provided host which allowed a new request with the
same name to be signed without interfering with the original host. As the man
page currently states this is very useful when u need to rebuild a host in a
staging or lab environment prior to actually replacing the original.
e.g. if u have a server on the other side of the country that needs replacing,
for say hardware issues, you can disable puppet on the remote server, clean its
cert on the master, build the new replacement in the lab, pack and send the
replacement, re-enable puppet on the original to maintain the server while the
replacement travels and when the actual replacement is installed it takes over
where the original left off. i use this method quite often.
with this change i now have to manually remove the certificate from the master.
rm -f /var/lib/puppet/ssl/ca/signed/fqdn.pem
no dig deal and something i can live with but not as convenient.
actually, neither of the above is ideal cause once the faulty original server
has been replaced the cert should be revoked, especially in my case cause the
puppet certs are also used for other things like VPN, but with the cert deleted
u have nothing to refer to in order to revoke it. i guest the ideal would be
to be able to clean and later revoke. maybe clean, or a new move option, could
move the cert aside to another location to allow it to be revoked later.
in any case, the puppetca man page is currently wrong based on the behavior of
2.6 and needs to be changed.
it should now read something like:
clean: Revokes host certificate and removes all files related to a host
from puppet cert's storage. Once cleaned the issued certificate is no longer
valid and all connection attempts will be denied. As with the revoke option
the puppet master needs to be restarted to take effect.
----------------------------------------
Bug #5346: puppetca doc error
https://projects.puppetlabs.com/issues/5346
Author: Ben -
Status: Needs more information
Priority: Normal
Assignee: Nigel Kersten
Category:
Target version:
Affected Puppet version: 2.6.3
Keywords:
Branch:
the puppetca man page needs updating to include the new --clean behavior of
revoking cert.
2.6.3 revokes w/ the --clean option
$ puppetca --clean server.puppetlabs.com
notice: Revoked certificate with serial 260
notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at
'/var/lib/puppet/ssl/ca/signed/server.puppetlabs.com.pem'
notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at
'/var/lib/puppet/ssl/certs/server.puppetlabs.com.pem'
The puppetca man page states
This is useful when rebuilding hosts, since new
certificate signing requests will only be honored if puppet
cert does not have a copy of a signed certificate for that
host. The certificate of the host remains valid.
PS> I prefer the old behavior. The --revoke option should not be implied w/
--clean.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
