Jira (PUP-8639) need seamless way to replace expiring CA certificate

[James Ralston (JIRA)]

James Ralston created an issue

Puppet / PUP-8639 need seamless way to replace expiring CA certificate Issue Type: New Feature Assignee: Unassigned Created: 2018/04/06 1:30 PM Priority: Normal Reporter: James Ralston What realistic option does a Puppet open source site have if the expiration on the CA master certificate is approaching, and one wants to smoothly transition to a new CA master certificate? The only official documentation I can find that comes close to this is the following: https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html But that procedure is describing an apocalypse-level security event where all certificates must be treated as untrustworthy and discarded. There is this: https://forge.puppet.com/puppetlabs/certregen …but that module hasn't been updated in almost a year, and is incompatible with Puppet 5, because Puppet 5 removed puppet certregen and replaced it with… nothing, as far as I can tell. The only potential solution I can see is this: https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place/ Perhaps PE already has a smooth way to do this, but there needs to be a smooth way to do this for Puppet open source as well, without sending sites running open source scurrying to random third-party blog posts. I realize this is both a very unsexy and very challenging issue to solve, but for the sites that need to solve it… it's a DEFCON 1 event. Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[James Ralston (JIRA)]

James Ralston commented on PUP-8639

Re: need seamless way to replace expiring CA certificate Correction: someone asserted that puppet certregen is a face that the puppetlabs-certregen modules adds. But per the module dependencies, the module doesn't work with Puppet 5, and doesn't seem to be under active development.

Add Comment

[Eric Sorenson (JIRA)]

Eric Sorenson updated an issue

Puppet / PUP-8639

need seamless way to replace expiring CA certificate

Change By: Eric Sorenson Team: Coremunity

Add Comment

[Eric Sorenson (JIRA)]

Eric Sorenson assigned an issue to Eric Sorenson

Puppet / PUP-8639 need seamless way to replace expiring CA certificate

Change By: Eric Sorenson Assignee: Eric Sorenson

Add Comment

[Eric Sorenson (JIRA)]

Eric Sorenson commented on PUP-8639

Re: need seamless way to replace expiring CA certificate James Ralston thanks for the report - the certregen module is indeed the right way to go here, it just needs some love and attention. I've put up a PR to bring it into "modern" puppet land, with support for Puppet 5 and some fixes that would have prevented it from working correctly: https://github.com/puppetlabs/puppetlabs-certregen/pull/43 Can you try it out and make sure it works for you? I'll get a blog post up on the official Puppet blog in the next couple of weeks - the code itself is really good work, we just took our eye off it before getting to the "waving banners and flags" promotional bit.

Add Comment

[Eric Sorenson (JIRA)]

Eric Sorenson updated an issue

Puppet / PUP-8639

need seamless way to replace expiring CA certificate

Change By: Eric Sorenson

What realistic option does a Puppet open source site have if the expiration on the CA master certificate is approaching, and one wants to smoothly transition to a new CA master certificate? The only official documentation I can find that comes close to this is the following: [ https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html ] But that procedure is describing an apocalypse-level security event where all certificates must be treated as untrustworthy and discarded. There is this: [ https://forge.puppet.com/puppetlabs/certregen ]

…but that module hasn't been updated in almost a year, and is incompatible doesn't express compatibility with Puppet 5 , because Puppet 5 removed {{puppet certregen}} and replaced it with… nothing, as far as I can tell.

The only potential solution I can see is this:

[ https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place/ ] Perhaps PE already has a smooth way to do this, but there needs to be a smooth way to do this for Puppet open source as well, without sending sites running open source scurrying to random third-party blog posts. I realize this is both a very unsexy and very challenging issue to solve, but for the sites that need to solve it… it's a DEFCON 1 event.

Add Comment

[Adrian Parreiras Horta (JIRA)]

Adrian Parreiras Horta commented on PUP-8639

Re: need seamless way to replace expiring CA certificate FYI: https://github.com/m0dular/ca_extend/issues/2

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-8639

Re: need seamless way to replace expiring CA certificate

I think this could be handled as described in PUP-10639

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-8639

Re: need seamless way to replace expiring CA certificate

I'm going to close this as a dup of PUP-10639 as that's what we're using internally to track this issue.

Add Comment

This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)