Jira (PUP-8918) Finalize separation of CA from Ruby

Change By:	Maggie Dreyer
Epic Name:	Separate CA and SSL dirs from Ruby

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

Maggie Dreyer (JIRA)

unread,

Oct 30, 2018, 2:42:04 PM10/30/18

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer
Summary:	Separate Finalize separation of CA and SSL dirs from Ruby

Maggie Dreyer (JIRA)

unread,

Oct 30, 2018, 2:43:02 PM10/30/18

to puppe...@googlegroups.com

Maggie Dreyer commented on

Re: Finalize separation of CA from Ruby

Updating this epic to include both the effort to separate the dirs and the remaining work to remove our entanglement with Ruby Puppet (mostly moving settings to Puppet Server).

Maggie Dreyer (JIRA)

unread,

Oct 30, 2018, 2:44:03 PM10/30/18

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer

This epic contains the work for separating puppetserver removing the CA 's CA dir last ties to Ruby Puppet. This includes moving settings from Puppet into Puppetserver and moving the CA directory under puppetserver 's SSL dir file tree instead of {{puppet/ssl}} . We plan to provide a path for doing this in the Puppet 6 series and move the directories and settings by default in Puppet 7.

Maggie Dreyer (JIRA)

unread,

Oct 30, 2018, 2:47:03 PM10/30/18

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer
Epic Colour:	ghx-label- 6 1

Maggie Dreyer (JIRA)

unread,

Oct 30, 2018, 4:25:02 PM10/30/18

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer
Epic Colour:	ghx-label- 1 3

Josh Cooper (JIRA)

unread,

Jul 25, 2019, 5:38:03 PM7/25/19

to puppe...@googlegroups.com

Josh Cooper commented on

Re: Finalize separation of CA from Ruby

One gradual step might be to create a new ca directory outside of the existing ssl directory, and symlink from ssl/ca -> ca. This way rm -rf will unlink the symlink, but not follow it:

[root@w4jl4a7y7wi0c0j puppet]# ln -s  /etc/puppetlabs/puppet/ca /etc/puppetlabs/puppet/ssl/ca

[root@w4jl4a7y7wi0c0j puppet]# chown puppet:puppet /etc/puppetlabs/puppet/ca

[root@w4jl4a7y7wi0c0j puppet]# systemctl start puppetserver

[root@w4jl4a7y7wi0c0j puppet]# /opt/puppetlabs/puppet/bin/puppet config set server `facter fqdn` --section main

[root@w4jl4a7y7wi0c0j puppet]# /opt/puppetlabs/puppet/bin/puppet agent -t

Info: Using configured environment 'production'

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Retrieving locales

Info: Caching catalog for w4jl4a7y7wi0c0j.delivery.puppetlabs.net

Info: Applying configuration version '1564090147'

Notice: Applied catalog in 0.02 seconds

[root@w4jl4a7y7wi0c0j puppet]# rm -rf /etc/puppetlabs/puppet/ssl/

[root@w4jl4a7y7wi0c0j puppet]# find ca/

ca/

ca/requests

ca/signed

ca/signed/w4jl4a7y7wi0c0j.delivery.puppetlabs.net.pem

ca/serial

ca/infra_inventory.txt

ca/infra_serials

ca/inventory.txt

ca/ca_pub.pem

ca/ca_key.pem

ca/ca_crt.pem

ca/ca_crl.pem

ca/infra_crl.pem

[root@w4jl4a7y7wi0c0j puppet]# /opt/puppetlabs/puppet/bin/puppet agent -t

Error: CA certificate is missing from the server

Error: Could not run: CA certificate is missing from the server

[root@w4jl4a7y7wi0c0j puppet]# systemctl restart puppetserver

[root@w4jl4a7y7wi0c0j puppet]# /opt/puppetlabs/puppet/bin/puppet agent -t

Info: Using configured environment 'production'

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Retrieving locales

Info: Caching catalog for w4jl4a7y7wi0c0j.delivery.puppetlabs.net

Info: Applying configuration version '1564090533'

Notice: Applied catalog in 0.01 seconds

That said we'd need to make sure permissions are correct on the new ca directory, as I don't think puppet will follow the link when applying the settings catalog.

Nick Walker (Jira)

unread,

Mar 26, 2020, 2:18:04 PM3/26/20

to puppe...@googlegroups.com

Nick Walker commented on