Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3262

By default, the cadir should be separated from the ssldir

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.7.1, PUP 4.10.10, PUP 5.4.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:

      Any Puppet Master

    • Template:
    • Team:
      Froyo
    • CS Priority:
      Major
    • CS Frequency:
      1 - 1-5% of Customers
    • CS Severity:
      4 - Major
    • CS Business Value:
      5 - $$$$$$
    • CS Impact:
      Hide
      It would be good to have something which automatically backs up this directory as we see a support case where someone has deleted their CAdir every few weeks.

      Lacking that no putting the CAdir in the same place as the ssldir would be a good step. While we have worked to change the docs to say customers should move this dir there is advice elsewhere on the internet saying to delete it.

      Customers who do not have a backup are faced with a pretty big task of rekeying all of their agents. While bolt can help with this if the customer has setup ssh keys(many do not or do not want to), tasks in PE can't because they rely on this same SSL infrastructure.
      Show
      It would be good to have something which automatically backs up this directory as we see a support case where someone has deleted their CAdir every few weeks. Lacking that no putting the CAdir in the same place as the ssldir would be a good step. While we have worked to change the docs to say customers should move this dir there is advice elsewhere on the internet saying to delete it. Customers who do not have a backup are faced with a pretty big task of rekeying all of their agents. While bolt can help with this if the customer has setup ssh keys(many do not or do not want to), tasks in PE can't because they rely on this same SSL infrastructure.

      Description

      Re-generating a Puppet Agent certificate is a common maintenance task performed by users. There are tons of guides floating around the internet that explain how to accomplish these tasks. Many include the following step:

      Locate Puppet’s ssldir and delete everything in it.

      A major problem arises if a user fails to remember that directions including this step are for agent systems only. If the ssldir is removed on a system hosting a puppet master, the CA directory will be destroyed and all Puppet infrastructure controlled by that master will be rendered inoperable until the CA is restored or rebuilt.

      Thus, the CA should not be stored in the same directory as Agent certificates. The CA should be located somewhere else on the file system so that it cannot be accidentally destroyed during maintenance tasks that remove the agent certificates.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              chuck Charlie Sharpsteen
              QA Contact:
              Kurt Wall Kurt Wall
              Votes:
              8 Vote for this issue
              Watchers:
              17 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support