Jira (PUP-3262) By default, the cadir should be separated from the ssldir

1 view
Skip to first unread message

Christopher Price (JIRA)

unread,
Jul 15, 2015, 5:59:05 AM7/15/15
to puppe...@googlegroups.com
Christopher Price assigned an issue to Unassigned
 
Puppet / Improvement PUP-3262
By default, the cadir should be separated from the ssldir
Change By: Christopher Price
Assignee: Christopher Price
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c)
Atlassian logo

Adrien Thebo (JIRA)

unread,
May 16, 2017, 5:50:04 PM5/16/17
to puppe...@googlegroups.com
Adrien Thebo updated an issue
Change By: Adrien Thebo
Labels: triaged
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Moses Mendoza (JIRA)

unread,
May 18, 2017, 1:46:18 PM5/18/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Labels: triaged

Charlie Sharpsteen (JIRA)

unread,
Oct 18, 2017, 11:55:03 AM10/18/17
to puppe...@googlegroups.com
Charlie Sharpsteen updated an issue
Change By: Charlie Sharpsteen
CS Priority: Needs Priority

Owen Rodabaugh (JIRA)

unread,
Oct 19, 2017, 7:16:03 PM10/19/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Needs Priority Major
CS Impact: It would be good to have something which automatically backs up this directory as we see a support case where someone has deleted their CAdir every few weeks. 

Lacking that no putting the CAdir in the same place as the ssldir would be a good step. While we have worked to change the docs to say customers should move this dir there is advice elsewhere on the internet saying to delete it.

Customers who do not have a backup are faced with a pretty big task of rekeying all of their agents. While bolt can help with this if the customer has setup ssh keys(many do not or do not want to), tasks in PE can't because they rely on this same SSL infrastructure.
CS Severity: 4 - Major
CS Business Value: 5 - $$$$$$
CS Frequency: 1 - 1-5% of Customers

Josh Cooper (JIRA)

unread,
Mar 9, 2018, 1:58:05 AM3/9/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sub-team: Server
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Mar 9, 2018, 1:58:05 AM3/9/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.0.0

Charlie Sharpsteen (JIRA)

unread,
Mar 9, 2018, 12:43:04 PM3/9/18
to puppe...@googlegroups.com
Charlie Sharpsteen updated an issue
Change By: Charlie Sharpsteen
Affects Version/s: PUP 4.10.10
Affects Version/s: PUP 5.4.0

Josh Cooper (JIRA)

unread,
May 18, 2018, 8:26:03 PM5/18/18
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-3262
 
Re: By default, the cadir should be separated from the ssldir

ping Justin Stoller Maggie Dreyer we should probably do this sooner rather than later, to understand and react to any downstream impact.

Eric Sorenson (JIRA)

unread,
May 31, 2018, 9:28:04 PM5/31/18
to puppe...@googlegroups.com
Eric Sorenson commented on Improvement PUP-3262

Justin Stoller and I talked through this; a bit more guidance:

  • the new CA dir ought to be under /etc/puppetlabs/puppetserver/ca, though the location should still be relocatable via a puppetserver.conf setting
  • new installations should use that by default; existing installations should look in the old /etc/puppetlabs/puppet/ssl/ca directory and use that without modification if it exists (i.e. do not try to auto-migrate people's CA certs. that path lies madness!)
  • the CLI tool from SERVER-2162 ought to provide an affordance for people to migrate an existing CA (whether single root+intermediate combo or root-only) from the old setup into a root+intermediate combo in the new location
  • if we migrate it should also bring over the old CRL
  • the implications on PE installations, both new and upgrades, need to be considered as part of this work (but under separate tickets)

Eric Thompson (JIRA)

unread,
Jun 7, 2018, 7:53:04 PM6/7/18
to puppe...@googlegroups.com
Eric Thompson commented on Improvement PUP-3262

consider backup and restore for this as well

Eric Thompson (JIRA)

unread,
Jun 7, 2018, 7:55:04 PM6/7/18
to puppe...@googlegroups.com
Eric Thompson commented on Improvement PUP-3262

Maggie Dreyer to break this one up more or less around the bullets above

Maggie Dreyer (JIRA)

unread,
Jun 8, 2018, 11:49:03 AM6/8/18
to puppe...@googlegroups.com
Maggie Dreyer commented on Improvement PUP-3262

Eric Sorenson When we say that existing installations should look in the old CA dir first, do we mean to only look in the default location, or to respect the old setting? This has implications for when/how we remove the CA's Ruby dependency.

Eric Sorenson (JIRA)

unread,
Jun 11, 2018, 7:29:05 PM6/11/18
to puppe...@googlegroups.com
Eric Sorenson commented on Improvement PUP-3262

Maggie Dreyer Hm, I feel like we need to respect the previous setting - the goal is to avoid a hard break for sites who are upgrading, and I think that includes the case where they've relocated the ssl dir via setting.

Maggie Dreyer (JIRA)

unread,
Jun 13, 2018, 7:34:08 PM6/13/18
to puppe...@googlegroups.com
Maggie Dreyer commented on Improvement PUP-3262

Created PUP-8918 to break down and track this work.

Maggie Dreyer (JIRA)

unread,
Sep 20, 2018, 1:26:05 PM9/20/18
to puppe...@googlegroups.com
Maggie Dreyer commented on Improvement PUP-3262

This didn't make it into Puppet 6. See the above epic.

Charlie Sharpsteen (JIRA)

unread,
Jul 24, 2019, 9:49:04 PM7/24/19
to puppe...@googlegroups.com

This continues to be a problem and is easy to trigger accidentally: https://tickets.puppetlabs.com/browse/ENTERPRISE-1274

Charlie Sharpsteen (JIRA)

unread,
Aug 22, 2019, 6:33:04 PM8/22/19
to puppe...@googlegroups.com
Charlie Sharpsteen updated an issue
Change By: Charlie Sharpsteen
Fix Version/s: PUP 6.0.0
Reply all
Reply to author
Forward
0 new messages