Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Gah, branch named and PR filed using PUP-9156. Let me know if you would like me to undo any of that. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Thomas Kishel Could you file a new ticket for that? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent I have a PR that may address this, posting soon ... Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent As long as ssldir is set correctly, then the derived settings will be based on that new value: irb(main):002:0> require 'puppet' => true irb(main):003:0> Puppet.initialize_settings => [:debug, :info, :notice, :warning, :err, :alert, :emerg, :crit] irb(main):004:0> Puppet[:ssldir] => "/Users/josh/.puppetlabs/etc/puppet/ssl" irb(main):005:0> Puppet[:hostcert] => "/Users/josh/.puppetlabs/etc/puppet/ssl/certs/localhost.pem" irb(main):006:0> Puppet[:ssldir] = "/Users/josh/.puppetlabs/etc/puppet/device/foo/ssl" => "/Users/josh/.puppetlabs/etc/puppet/device/foo/ssl" irb(main):007:0> Puppet[:hostcert] => "/Users/josh/.puppetlabs/etc/puppet/device/foo/ssl/certs/localhost.pem"
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Maggie Dreyer commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Okay, looking at the code for the clean command, I think I see what's wrong. It does not use the `ssldir` setting to find files to delete, but rather looks at the values of hostcert, hostprivkey, etc. directly. Are those configured separately to point to agent files, rather than inheriting from ssldir on device nodes? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent I've copied the changes in the commit to my test master and agent, but it appears the puppet ssl clean action needs to implement a --device parameter to differentiate between the default and (incorrectly assumed only) ssldir on the agent and the ssldir(s) of devices. As implemented now, a device certificate mismatch on an agent will output a message that instructs the user to run a command that will delete the agent ssldir rather than the device ssldir ... [root@pe-201900-agent ~]# puppet device -v --waitforcert 0 Info: starting applying configuration to cisco.example.com at file:///etc/puppetlabs/puppet/devices/cisco.example.com.conf Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root? Certificate fingerprint: 48:11:BB:CC:AB:E7:F7:8A:2A:8E:7B:5E:A8:D3:DC:10:A9:01:FA:F6:F6:D6:85:15:A6:D8:61:0F:90:C1:93:98 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate. On the master: puppetserver ca clean --certname cisco.example.com On the agent: 1. puppet ssl clean 2. puppet agent -t
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Maggie Dreyer commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Oh, is that directory actually what's pointed to by the ssldir setting? If so, this might actually do what you need. But we didn't try it. If it does work that would be great! Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent The pre-commit output does find the correct ssldir/cert_dir for the device: [root@pe-201900-agent ~]# puppet device -v Info: starting applying configuration to cisco.example.com at file:///etc/puppetlabs/puppet/devices/cisco.example.com.conf Info: Creating a new SSL key for cisco.example.com Info: Downloaded certificate for ca from pe-201900-master.puppetdebug.vlan Info: Downloaded certificate for cisco.example.com from pe-201900-master.puppetdebug.vlan Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root? Certificate fingerprint: 48:11:BB:CC:AB:E7:F7:8A:2A:8E:7B:5E:A8:D3:DC:10:A9:01:FA:F6:F6:D6:85:15:A6:D8:61:0F:90:C1:93:98 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate. On the master: puppetserver ca clean --certname cisco.example.com On the agent:
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Sigh. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Maggie Dreyer commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent No. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Thomas Kishel commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Does this cover certificates for device agents? Those are stored in /opt/puppetlabs/puppet/cache/devices//ssl https://tickets.puppetlabs.com/browse/PUP-8736 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Merged to 6.0.x in https://github.com/puppetlabs/puppet/commit/5a58b3d554f7f38422128a6760ac05c81a18bf7d Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Release Notes Summary: Adds a "clean" action to the "puppet ssl" application to remove an agent's private key, public key, certificate and/or certificate signing request. If the "--localca" option is specified, the action will also remove the agent's copy of the CA certificate(s) and CRL bundle that it downloaded from the CA previously.Prior to this, if an agent's ssl directory was in an inconsistent state, the user was told to run "find /etc/puppetlabs/puppet/ssl -name .pem -delete" or the Windows equivalent. Now users should run "puppet ssl clean" on the agent host. This way users will not accidentally delete their entire CA directory when trying to clean the agent that's running on the CA host.Note "puppet ssl clean" is a companion to "puppetserver ca clean". The former should be run on an agent host to clean that agent's ssl directory. The latter should be run on the CA to manage certificates and requests for *all* agents. Release Notes: New Feature Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Jorie Tappa commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Josh Cooper could you please add release notes? Thanks! Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-9156
Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Change By:
Josh Cooper
Currently our docs and error messaging frequently tell users to delete their SSL directories when something goes wrong with certificates on an agent. This can lead to problems if users accidentally do it on their CA node instead of on an agent, because it will destroy the whole CA and make all agents unable to check in. We should add a new command under {{puppet ssl}} to clean up just the client-side artifacts leaving the CA dir untouched no matter where it's run, and tell users to use that instead of deleting their directories manually. This should probably clean up everything in the SSL dir EXCEPT the CA dir.We may want to think a little more about the case where someone is running this on the master and has used `puppetserver ca generate` to create certs for distribution. This places the certs both in the {{ca/signed}} dir and in {{ssl/certs}}, the latter of which could potentially be cleaned up by this command. Things Host-specific files to delete (if present) ||file||setting|||private key|Puppet[:hostprivkey]||public key|Puppet[:hostpubkey]||certificate request|Puppet[:hostcsr]||certificate|Puppet[:hostcert]|| local ca cert passphrase file |Puppet[: localcacert passfile ]| Local copies of CA files to delete (if present) | local crl | Puppet[:hostcrl] file | |setting|| | passphrase file local ca cert |Puppet[: passfile localcacert ]|| legacy ca bundle local crl | Puppet[: ssl_client_ca_auth hostcrl ]|
Add Comment
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Fix Version/s: PUP 6.1.0 Fix Version/s: PUP 6.0.3 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Sprint: Coremunity Hopper Platform Core KANBAN Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-9156
Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Change By:
Josh Cooper
Currently our docs and error messaging frequently tell users to delete their SSL directories when something goes wrong with certificates on an agent. This can lead to problems if users accidentally do it on their CA node instead of on an agent, because it will destroy the whole CA and make all agents unable to check in. We should add a new command under {{puppet ssl}} to clean up just the client-side artifacts leaving the CA dir untouched no matter where it's run, and tell users to use that instead of deleting their directories manually. This should probably clean up everything in the SSL dir EXCEPT the CA dir.We may want to think a little more about the case where someone is running this on the master and has used `puppetserver ca generate` to create certs for distribution. This places the certs both in the {{ca/signed}} dir and in {{ssl/certs}}, the latter of which could potentially be cleaned up by this command. Things to delete (if present)||file||setting|||private key|Puppet[:hostprivkey]||public key|Puppet[:hostpubkey]||certificate request|Puppet[:hostcsr]||certificate|Puppet[:hostcert]||local ca cert|Puppet[:localcacert]||local crl|Puppet[:hostcrl]||passphrase file|Puppet[:passfile]||legacy ca bundle| Puppet[:ssl_client_ca_auth]|
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper assigned an issue to Josh Cooper Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Assignee: Josh Cooper Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-9156
Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Change By:
Josh Cooper
Acceptance Criteria:
* {{puppet ssl clean}} will delete all client-side artifacts on a node. * When run on the CA, the "ca" directory and all of the signed certs, serial.txt, etc should be untouched.* The instructions for resetting the agent's SSL state should reference {{puppet ssl clean}} instead of {{find %\{ssl_dir\} -name %\{cert_name\}.pem -delete}}, etc
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Fix Version/s: PUP 6.y Fix Version/s: PUP 6.1.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Sprint: Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Change By: Josh Cooper Team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Eric Thompson commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent we have a few things to do surrounding other aspects of the CA and CI in the 6.y timeframe. feels like core/agent work here. Geoff Nichols, Rob Braden thoughts? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Maggie Dreyer commented on PUP-9156 Re: Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Figuring out if this should go to Coremunity or Server /cc Rob Braden Eric Thompson Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9156) Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent
Title: Message Title Maggie Dreyer created an issue Puppet / PUP-9156 Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent Issue Type: Improvement Assignee: Unassigned Created: 2018/09/19 1:47 PM Fix Versions: PUP 6.y Priority: Normal Reporter: Maggie Dreyer Currently our docs and error messaging frequently tell users to delete their SSL directories when something goes wrong with certificates on an agent. This can lead to problems if users accidentally do it on their CA node instead of on an agent, because it will destroy the whole CA and make all agents unable to check in. We should add a new command under puppet ssl to clean up just the client-side artifacts leaving the CA dir untouched no matter where it's run, and tell users to use that instead of deleting their directories manually. This should probably clean up everything in the SSL dir EXCEPT the CA dir. We may want to think a little more about the case where someone is running this on the master and has used `puppetserver ca generate` to create certs for distribution. This places the certs both in the ca/signed dir and in ssl/certs, the latter of which could potentially be cleaned up by this command. Add Comment
