[Puppet Users] Re: [Please help] - How to renew/fix certificate at puppetmaster level?

2021-10-15 Thread puppet-bsd 
Performed the Verify steps. Seems the values are not equal. Is there any 
steps in order to make the values equal?


On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote:

> My advise might not be the best but it's what worked for me when our 
> master CA certificate expired.  These are my raw notes from when I had to 
> renew our puppetserver certificate. The original certificate was likely 
> Puppet 4 and expired when running Puppet 6.  I googled around and took some 
> steps from various blog posts I found so most of this isn't my original 
> ideas:
>
>  # Verify
>  cd /etc/puppetlabs/puppet/ssl/ca
>  ( openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 
> ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 )
>  
>  # Generate new CSR
>  openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
>  
>  # Sign
>  cat > extension.cnf << EOF
>  [CA_extensions]
>  basicConstraints = critical,CA:TRUE
>  nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
>  keyUsage = critical,keyCertSign,cRLSign
>  subjectKeyIdentifier = hash
>  EOF
>  cp ca_crt.pem ca_crt.pem.old
>  openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out 
> ca_crt.pem -extfile extension.cnf -extensions CA_extensions
>  openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
>  chown puppet: ./*
>  cd /etc/puppetlabs/puppet/ssl
>  cp -a ca/ca_crt.pem certs/ca.pem 
>  
>  # CLIENTS
>  
>  /opt/puppetlabs/bin/puppet resource file 
> /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
>  /opt/puppetlabs/bin/puppet ssl download_cert
>  systemctl restart choria-server
>
> For expired client certs, when that happens to me I will do "rm -rf 
> /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet 
> which will request new cert then sign the cert and run Puppet again.  That 
> process is rather tedious and not something I've automated really well but 
> also not something I have had happen frequently as we don't tend to keep 
> servers around for 5+ years.
>
> On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote:
>
>>   Hi all,
>>
>> I'm new in puppet. 
>>
>> I'm currently using puppet 4.10
>>
>> Long story short, puppet certificates were expired and by this time, I am 
>> renewing these certificates one node at the time (including the 
>> puppetmaster). 
>>
>> Once the puppetmaster got "renewed" , I tried to create a node 
>> successfully but its first run of puppet agent -t got unsuccessful due to 
>> its related smart proxy server certificate for revoked. Performed a 
>> certificate renewal for the proxy and the new agent now runs fine.
>>
>> However, it always happens everytime I create a new node. In the past, I 
>> don't have to renew proxy certificates. That means that there is 
>> something/somewhere in puppetmaster that isn't caught up in terms of 
>> certificates.
>>
>> One try I made is to regenerate a new CA certificate but seems it isn't 
>> successful for the early described issue.
>>
>> Can anyone please point how to fix the certificate at the puppetmaster 
>> level? 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/63a4d3b3-55e8-43ef-84cd-6f6d9a4ef8a5n%40googlegroups.com.

Re: [Puppet Users] how do puppet agent service record and determine next request timepoint?

2021-10-15 Thread Martin Alfke 
Hi,

Running puppet agent as a daemon is not recommended in large environments with 
many nodes.
We usually recommend running puppet agent from cron instead.

Reason:

When running puppet agent as daemon:
T0 - Puppet agent start
T0+x - Puppet agent finishes. Now waits for runinterval time (default 30 min). 
Runtime for puppet agent can differ from run to run

When running from cron, we recommend to use the fqdn_rand function to create a 
random number based on the fqdn. Number will be identical for identical fqdn.
This allows us to spread puppet agent runs in the platform.

In very large environment (more than 4000 nodes) we recommend to add Puppet 
compilers behind a load balancer.
The CA will still run on the primary server, but load is spread amongst more 
systems (catalog compilation).

Hth,
Martin


> On 14. Oct 2021, at 04:13, 羽色云烟  wrote:
> 
> Background:
> Our a puppet server manages lots of agent nodes, it often failed to response 
> in time due to too many requests squeeze in some part of period. We have set 
> 'splay=true' but it seem to do no help. We hope to more pricisely control 
> each node's agent request timepoint, that is, to make them evenly distribute 
> across the run-interval period. But 'systemctl restart puppet.service' does 
> not always trigger the puppet agent request immediately.
> 
> So the question are:
> 1. how do background puppet agent service determine its next request 
> timepoint?
> 2. suppose 'runinterval=1h', with splay feature disabled, will all the future 
> request time point be fixed exactly at x+1h, x+2h, x+3h, etc... ?
> 3. at puppet server node, is there any way to list which agent nodes are 
> currently connecting or occupying server's instance, and which nodes are in 
> queue?
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/59fd2837-9347-4b21-a2d5-79d9af274bb0n%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/A7BCFE48-879C-482B-8563-7DD6719B0562%40gmail.com.

[Puppet Users] Re: [Please help] - How to renew/fix certificate at puppetmaster level?

2021-10-15 Thread puppet-bsd 
Hi,

Obviously does it need file backup and the puppetmaster to be restated 
after the action. Correct?

On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote:

> My advise might not be the best but it's what worked for me when our 
> master CA certificate expired.  These are my raw notes from when I had to 
> renew our puppetserver certificate. The original certificate was likely 
> Puppet 4 and expired when running Puppet 6.  I googled around and took some 
> steps from various blog posts I found so most of this isn't my original 
> ideas:
>
>  # Verify
>  cd /etc/puppetlabs/puppet/ssl/ca
>  ( openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 
> ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 )
>  
>  # Generate new CSR
>  openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
>  
>  # Sign
>  cat > extension.cnf << EOF
>  [CA_extensions]
>  basicConstraints = critical,CA:TRUE
>  nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
>  keyUsage = critical,keyCertSign,cRLSign
>  subjectKeyIdentifier = hash
>  EOF
>  cp ca_crt.pem ca_crt.pem.old
>  openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out 
> ca_crt.pem -extfile extension.cnf -extensions CA_extensions
>  openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
>  chown puppet: ./*
>  cd /etc/puppetlabs/puppet/ssl
>  cp -a ca/ca_crt.pem certs/ca.pem 
>  
>  # CLIENTS
>  
>  /opt/puppetlabs/bin/puppet resource file 
> /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
>  /opt/puppetlabs/bin/puppet ssl download_cert
>  systemctl restart choria-server
>
> For expired client certs, when that happens to me I will do "rm -rf 
> /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet 
> which will request new cert then sign the cert and run Puppet again.  That 
> process is rather tedious and not something I've automated really well but 
> also not something I have had happen frequently as we don't tend to keep 
> servers around for 5+ years.
>
> On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote:
>
>>   Hi all,
>>
>> I'm new in puppet. 
>>
>> I'm currently using puppet 4.10
>>
>> Long story short, puppet certificates were expired and by this time, I am 
>> renewing these certificates one node at the time (including the 
>> puppetmaster). 
>>
>> Once the puppetmaster got "renewed" , I tried to create a node 
>> successfully but its first run of puppet agent -t got unsuccessful due to 
>> its related smart proxy server certificate for revoked. Performed a 
>> certificate renewal for the proxy and the new agent now runs fine.
>>
>> However, it always happens everytime I create a new node. In the past, I 
>> don't have to renew proxy certificates. That means that there is 
>> something/somewhere in puppetmaster that isn't caught up in terms of 
>> certificates.
>>
>> One try I made is to regenerate a new CA certificate but seems it isn't 
>> successful for the early described issue.
>>
>> Can anyone please point how to fix the certificate at the puppetmaster 
>> level? 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/45b9ab46-e21a-4cf7-9b78-6bdb5c75fba9n%40googlegroups.com.

[Puppet Users] Re: [Please help] - How to renew/fix certificate at puppetmaster level?

2021-10-15 Thread treydock 
My advise might not be the best but it's what worked for me when our master 
CA certificate expired.  These are my raw notes from when I had to renew 
our puppetserver certificate. The original certificate was likely Puppet 4 
and expired when running Puppet 6.  I googled around and took some steps 
from various blog posts I found so most of this isn't my original ideas:

 # Verify
 cd /etc/puppetlabs/puppet/ssl/ca
 ( openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 ; 
openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 )
 
 # Generate new CSR
 openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
 
 # Sign
 cat > extension.cnf << EOF
 [CA_extensions]
 basicConstraints = critical,CA:TRUE
 nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
 keyUsage = critical,keyCertSign,cRLSign
 subjectKeyIdentifier = hash
 EOF
 cp ca_crt.pem ca_crt.pem.old
 openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out 
ca_crt.pem -extfile extension.cnf -extensions CA_extensions
 openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
 chown puppet: ./*
 cd /etc/puppetlabs/puppet/ssl
 cp -a ca/ca_crt.pem certs/ca.pem 
 
 # CLIENTS
 
 /opt/puppetlabs/bin/puppet resource file 
/etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
 /opt/puppetlabs/bin/puppet ssl download_cert
 systemctl restart choria-server

For expired client certs, when that happens to me I will do "rm -rf 
/etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet 
which will request new cert then sign the cert and run Puppet again.  That 
process is rather tedious and not something I've automated really well but 
also not something I have had happen frequently as we don't tend to keep 
servers around for 5+ years.

On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote:

>   Hi all,
>
> I'm new in puppet. 
>
> I'm currently using puppet 4.10
>
> Long story short, puppet certificates were expired and by this time, I am 
> renewing these certificates one node at the time (including the 
> puppetmaster). 
>
> Once the puppetmaster got "renewed" , I tried to create a node 
> successfully but its first run of puppet agent -t got unsuccessful due to 
> its related smart proxy server certificate for revoked. Performed a 
> certificate renewal for the proxy and the new agent now runs fine.
>
> However, it always happens everytime I create a new node. In the past, I 
> don't have to renew proxy certificates. That means that there is 
> something/somewhere in puppetmaster that isn't caught up in terms of 
> certificates.
>
> One try I made is to regenerate a new CA certificate but seems it isn't 
> successful for the early described issue.
>
> Can anyone please point how to fix the certificate at the puppetmaster 
> level? 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d9584c3c-b59d-4ebb-ab0a-bfa6e8af040en%40googlegroups.com.