Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2896

Update CA CLI settings init to compute CA dir location

    XMLWordPrintable

Details

    • Task
    • Status: Resolved
    • Normal
    • Resolution: Done
    • None
    • SERVER 7.0.0
    • None
    • None
    • Froyo
    • 3
    • Froyo 11/02/2020, Froyo - 11/09/2020
    • Deprecation
    • Hide
      Beginning in Puppet 7, the default value for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates.

      The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.
      Show
      Beginning in Puppet 7, the default value for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates. The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.
    • Needs Assessment

    Description

      In Puppet 7, we are working to migrate users to a new CA dir location outside of the SSL dir. We want to seamlessly support both halves of this migration, so when computing the settings for the CA CLI tool, the cadir should be the following:

      • If the setting is configured to something custom, use that (if it is inside the ssldir warn the with the same message as in Puppet, see PUP-10720).
      • If the files are in the old location (/etc/puppetlabs/puppet/ssl/ca), use that but warn with the same messages as in Puppet, see PUP-10720
      • if they're in the new location (/etc/puppetlabs/puppetserver/ca), use that
      • if they're in neither location (i.e. we are boostrapping), use the new one.

      This logic only applies to Puppet 7, so as part of this work, branch the gem to create a 2.0 version for use with Puppet 7+ only.

       

      Ensure there are meaningful integration tests.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. SERVER-2895 Update `puppetserver ca setup` to create CA files in new location w/ symlink

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Activity

            People

              justin Justin Stoller
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support