-
Type:
Improvement
-
Status: Closed
-
Priority:
Critical
-
Resolution: Duplicate
-
Affects Version/s: PUP 3.7.1, PUP 4.10.10, PUP 5.4.0
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
Any Puppet Master
-
Template:customfield_10700 51395
-
Epic Link:
-
Team:Froyo
-
CS Priority:Major
-
CS Frequency:1 - 1-5% of Customers
-
CS Severity:4 - Major
-
CS Business Value:5 - $$$$$$
-
CS Impact:
Re-generating a Puppet Agent certificate is a common maintenance task performed by users. There are tons of guides floating around the internet that explain how to accomplish these tasks. Many include the following step:
Locate Puppet’s ssldir and delete everything in it.
A major problem arises if a user fails to remember that directions including this step are for agent systems only. If the ssldir is removed on a system hosting a puppet master, the CA directory will be destroyed and all Puppet infrastructure controlled by that master will be rendered inoperable until the CA is restored or rebuilt.
Thus, the CA should not be stored in the same directory as Agent certificates. The CA should be located somewhere else on the file system so that it cannot be accidentally destroyed during maintenance tasks that remove the agent certificates.
- duplicates
-
PUP-8918 Finalize separation of CA from Ruby
-
- Closed
-
- relates to
-
ENTERPRISE-1274 Help text for 'node purge' face may result in deleted master certs
-
- Closed
-
-
SERVER-2225 Move puppetserver's default CA dir out of Puppet's SSL dir
-
- Resolved
-