Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9156

Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.3
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide
      • puppet ssl clean will delete all client-side artifacts on a node.
      • When run on the CA, the "ca" directory and all of the signed certs, serial.txt, etc should be untouched.
      • The instructions for resetting the agent's SSL state should reference puppetĀ ssl clean instead of find %{ssl_dir} -name %{cert_name}.pem -delete, etc
      Show
      puppet ssl clean will delete all client-side artifacts on a node. When run on the CA, the "ca" directory and all of the signed certs, serial.txt, etc should be untouched. The instructions for resetting the agent's SSL state should reference puppetĀ ssl clean instead of find %{ssl_dir} -name %{cert_name}.pem -delete , etc
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Adds a "clean" action to the "puppet ssl" application to remove an agent's private key, public key, certificate and/or certificate signing request. If the "--localca" option is specified, the action will also remove the agent's copy of the CA certificate(s) and CRL bundle that it downloaded from the CA previously.

      Prior to this, if an agent's ssl directory was in an inconsistent state, the user was told to run "find /etc/puppetlabs/puppet/ssl -name <name>.pem -delete" or the Windows equivalent. Now users should run "puppet ssl clean" on the agent host. This way users will not accidentally delete their entire CA directory when trying to clean the agent that's running on the CA host.

      Note "puppet ssl clean" is a companion to "puppetserver ca clean". The former should be run on an agent host to clean that agent's ssl directory. The latter should be run on the CA to manage certificates and requests for *all* agents.
      Show
      Adds a "clean" action to the "puppet ssl" application to remove an agent's private key, public key, certificate and/or certificate signing request. If the "--localca" option is specified, the action will also remove the agent's copy of the CA certificate(s) and CRL bundle that it downloaded from the CA previously. Prior to this, if an agent's ssl directory was in an inconsistent state, the user was told to run "find /etc/puppetlabs/puppet/ssl -name <name>.pem -delete" or the Windows equivalent. Now users should run "puppet ssl clean" on the agent host. This way users will not accidentally delete their entire CA directory when trying to clean the agent that's running on the CA host. Note "puppet ssl clean" is a companion to "puppetserver ca clean". The former should be run on an agent host to clean that agent's ssl directory. The latter should be run on the CA to manage certificates and requests for *all* agents.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently our docs and error messaging frequently tell users to delete their SSL directories when something goes wrong with certificates on an agent. This can lead to problems if users accidentally do it on their CA node instead of on an agent, because it will destroy the whole CA and make all agents unable to check in. We should add a new command under puppet ssl to clean up just the client-side artifacts leaving the CA dir untouched no matter where it's run, and tell users to use that instead of deleting their directories manually. This should probably clean up everything in the SSL dir EXCEPT the CA dir.

      We may want to think a little more about the case where someone is running this on the master and has used `puppetserver ca generate` to create certs for distribution. This places the certs both in the ca/signed dir and in ssl/certs, the latter of which could potentially be cleaned up by this command.

      Host-specific files to delete (if present)

      file setting
      private key Puppet[:hostprivkey]
      public key Puppet[:hostpubkey]
      certificate request Puppet[:hostcsr]
      certificate Puppet[:hostcert]
      passphrase file Puppet[:passfile]

      Local copies of CA files to delete (if present)

      file setting
      local ca cert Puppet[:localcacert]
      local crl Puppet[:hostcrl]

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  maggie Maggie Dreyer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: