[PUP-3262] By default, the cadir should be separated from the ssldir - Puppet Tickets

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Duplicate
Affects Version/s: PUP 3.7.1, PUP 4.10.10, PUP 5.4.0
Fix Version/s: None
Component/s: None
Labels:
None
Environment:

Any Puppet Master

Template:
customfield_10700 51395
Epic Link:
Clojure CA Service
Team:
Froyo

CS Priority:
Major
CS Frequency:
1 - 1-5% of Customers
CS Severity:
4 - Major
CS Business Value:
5 - $$$$$$
CS Impact:

Hide
It would be good to have something which automatically backs up this directory as we see a support case where someone has deleted their CAdir every few weeks.

Lacking that no putting the CAdir in the same place as the ssldir would be a good step. While we have worked to change the docs to say customers should move this dir there is advice elsewhere on the internet saying to delete it.

Customers who do not have a backup are faced with a pretty big task of rekeying all of their agents. While bolt can help with this if the customer has setup ssh keys(many do not or do not want to), tasks in PE can't because they rely on this same SSL infrastructure.

Show
It would be good to have something which automatically backs up this directory as we see a support case where someone has deleted their CAdir every few weeks. Lacking that no putting the CAdir in the same place as the ssldir would be a good step. While we have worked to change the docs to say customers should move this dir there is advice elsewhere on the internet saying to delete it. Customers who do not have a backup are faced with a pretty big task of rekeying all of their agents. While bolt can help with this if the customer has setup ssh keys(many do not or do not want to), tasks in PE can't because they rely on this same SSL infrastructure.

Description

Re-generating a Puppet Agent certificate is a common maintenance task performed by users. There are tons of guides floating around the internet that explain how to accomplish these tasks. Many include the following step:

Locate Puppet’s ssldir and delete everything in it.

A major problem arises if a user fails to remember that directions including this step are for agent systems only. If the ssldir is removed on a system hosting a puppet master, the CA directory will be destroyed and all Puppet infrastructure controlled by that master will be rendered inoperable until the CA is restored or rebuilt.

Thus, the CA should not be stored in the same directory as Agent certificates. The CA should be located somewhere else on the file system so that it cannot be accidentally destroyed during maintenance tasks that remove the agent certificates.

Attachments

Issue Links

duplicates

PUP-8918 Finalize separation of CA from Ruby

Closed

relates to

ENTERPRISE-1274 Help text for 'node purge' face may result in deleted master certs

Closed

SERVER-2225 Move puppetserver's default CA dir out of Puppet's SSL dir

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Charlie Sharpsteen

QA Contact:: Kurt Wall

Votes:: 8 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 2014/09/16 11:44 AM

Updated:: 2019/08/22 3:32 PM

Resolved:: 2018/09/11 10:14 AM