Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Josh Cooper commented on PUP-8639 Re: need seamless way to replace expiring CA certificate I'm going to close this as a dup of PUP-10639 as that's what we're using internally to track this issue. Add Comment This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.244671.1523046645000.69942.1672939380036%40Atlassian.JIRA.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Josh Cooper commented on PUP-8639 Re: need seamless way to replace expiring CA certificate I think this could be handled as described in PUP-10639 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.244671.1523046645000.21843.1598050320026%40Atlassian.JIRA.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Adrian Parreiras Horta commented on PUP-8639 Re: need seamless way to replace expiring CA certificate FYI: https://github.com/m0dular/ca_extend/issues/2 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title
Eric Sorenson updated an issue
Puppet / PUP-8639
need seamless way to replace expiring CA certificate
Change By:
Eric Sorenson
What realistic option does a Puppet open source site have if the expiration on the CA master certificate is approaching, and one wants to smoothly transition to a new CA master certificate?The only official documentation I can find that comes close to this is the following: [ https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html ] But that procedure is describing an apocalypse-level security event where all certificates must be treated as untrustworthy and discarded.There is this: [ https://forge.puppet.com/puppetlabs/certregen ] …but that module hasn't been updated in almost a year, and is incompatible doesn't express compatibility with Puppet 5 , because Puppet 5 removed {{puppet certregen}} and replaced it with… nothing, as far as I can tell. The only potential solution I can see is this: [ https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place/ ] Perhaps PE already has a smooth way to do this, but there needs to be a smooth way to do this for Puppet open source as well, without sending sites running open source scurrying to random third-party blog posts.I realize this is both a very unsexy and very challenging issue to solve, but for the sites that need to solve it… it's a DEFCON 1 event.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Eric Sorenson commented on PUP-8639 Re: need seamless way to replace expiring CA certificate James Ralston thanks for the report - the certregen module is indeed the right way to go here, it just needs some love and attention. I've put up a PR to bring it into "modern" puppet land, with support for Puppet 5 and some fixes that would have prevented it from working correctly: https://github.com/puppetlabs/puppetlabs-certregen/pull/43 Can you try it out and make sure it works for you? I'll get a blog post up on the official Puppet blog in the next couple of weeks - the code itself is really good work, we just took our eye off it before getting to the "waving banners and flags" promotional bit. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Eric Sorenson assigned an issue to Eric Sorenson Puppet / PUP-8639 need seamless way to replace expiring CA certificate Change By: Eric Sorenson Assignee: Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title Eric Sorenson updated an issue Puppet / PUP-8639 need seamless way to replace expiring CA certificate Change By: Eric Sorenson Team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title James Ralston commented on PUP-8639 Re: need seamless way to replace expiring CA certificate Correction: someone asserted that puppet certregen is a face that the puppetlabs-certregen modules adds. But per the module dependencies, the module doesn't work with Puppet 5, and doesn't seem to be under active development. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title James Ralston created an issue Puppet / PUP-8639 need seamless way to replace expiring CA certificate Issue Type: New Feature Assignee: Unassigned Created: 2018/04/06 1:30 PM Priority: Normal Reporter: James Ralston What realistic option does a Puppet open source site have if the expiration on the CA master certificate is approaching, and one wants to smoothly transition to a new CA master certificate? The only official documentation I can find that comes close to this is the following: https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html But that procedure is describing an apocalypse-level security event where all certificates must be treated as untrustworthy and discarded. There is this: https://forge.puppet.com/puppetlabs/certregen …but that module hasn't been updated in almost a year, and is incompatible with Puppet 5, because Puppet 5 removed puppet certregen and replaced it with… nothing, as far as I can tell. The only potential solution I can see is this: https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place/ Perhaps PE already has a smooth way to do this, but there needs to be a smooth way to do this for Puppet open source as well, without sending sites running open source scurrying to random third-party blog posts. I realize this is both a very unsexy and very challenging issue to solve, but for the sites that need to solve it… it's a DEFCON 1 event.
