Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9156

Add a `puppet ssl clean` command that will clean up all cert artifacts on an agent

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.0.3
    • None
    • None
    • Hide
      • puppet ssl clean will delete all client-side artifacts on a node.
      • When run on the CA, the "ca" directory and all of the signed certs, serial.txt, etc should be untouched.
      • The instructions for resetting the agent's SSL state should reference puppetĀ ssl clean instead of find %{ssl_dir} -name %{cert_name}.pem -delete, etc
      Show
      puppet ssl clean will delete all client-side artifacts on a node. When run on the CA, the "ca" directory and all of the signed certs, serial.txt, etc should be untouched. The instructions for resetting the agent's SSL state should reference puppetĀ ssl clean instead of find %{ssl_dir} -name %{cert_name}.pem -delete , etc
    • Coremunity
    • Platform Core KANBAN
    • New Feature
    • Hide
      Adds a "clean" action to the "puppet ssl" application to remove an agent's private key, public key, certificate and/or certificate signing request. If the "--localca" option is specified, the action will also remove the agent's copy of the CA certificate(s) and CRL bundle that it downloaded from the CA previously.

      Prior to this, if an agent's ssl directory was in an inconsistent state, the user was told to run "find /etc/puppetlabs/puppet/ssl -name <name>.pem -delete" or the Windows equivalent. Now users should run "puppet ssl clean" on the agent host. This way users will not accidentally delete their entire CA directory when trying to clean the agent that's running on the CA host.

      Note "puppet ssl clean" is a companion to "puppetserver ca clean". The former should be run on an agent host to clean that agent's ssl directory. The latter should be run on the CA to manage certificates and requests for *all* agents.
      Show
      Adds a "clean" action to the "puppet ssl" application to remove an agent's private key, public key, certificate and/or certificate signing request. If the "--localca" option is specified, the action will also remove the agent's copy of the CA certificate(s) and CRL bundle that it downloaded from the CA previously. Prior to this, if an agent's ssl directory was in an inconsistent state, the user was told to run "find /etc/puppetlabs/puppet/ssl -name <name>.pem -delete" or the Windows equivalent. Now users should run "puppet ssl clean" on the agent host. This way users will not accidentally delete their entire CA directory when trying to clean the agent that's running on the CA host. Note "puppet ssl clean" is a companion to "puppetserver ca clean". The former should be run on an agent host to clean that agent's ssl directory. The latter should be run on the CA to manage certificates and requests for *all* agents.
    • Needs Assessment

    Description

      Currently our docs and error messaging frequently tell users to delete their SSL directories when something goes wrong with certificates on an agent. This can lead to problems if users accidentally do it on their CA node instead of on an agent, because it will destroy the whole CA and make all agents unable to check in. We should add a new command under puppet ssl to clean up just the client-side artifacts leaving the CA dir untouched no matter where it's run, and tell users to use that instead of deleting their directories manually. This should probably clean up everything in the SSL dir EXCEPT the CA dir.

      We may want to think a little more about the case where someone is running this on the master and has used `puppetserver ca generate` to create certs for distribution. This places the certs both in the ca/signed dir and in ssl/certs, the latter of which could potentially be cleaned up by this command.

      Host-specific files to delete (if present)

      file setting
      private key Puppet[:hostprivkey]
      public key Puppet[:hostpubkey]
      certificate request Puppet[:hostcsr]
      certificate Puppet[:hostcert]
      passphrase file Puppet[:passfile]

      Local copies of CA files to delete (if present)

      file setting
      local ca cert Puppet[:localcacert]
      local crl Puppet[:hostcrl]

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. PUP-9335 Puppet ssl application should use agent run mode

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. ENTERPRISE-1274 Help text for 'node purge' face may result in deleted master certs

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. PUP-8918 Finalize separation of CA from Ruby

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              josh Josh Cooper
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support