Jira (PDB-1085) `puppetdb ssl-setup` should allow arbitrary certnames

[Zachary Stern (JIRA)]

Zachary Stern created an issue

PuppetDB / PDB-1085 `puppetdb ssl-setup` should allow arbitrary certnames Issue Type: New Feature Assignee: Unassigned Created: 2014/12/29 10:40 AM Priority: Normal Reporter: Zachary Stern Currently, in order to load balance PuppetDB in PE, you need to configure your multiple PuppetDBs to use a single shared certificate. The puppet_enterprise::profile::puppetdb class including with PE allows you to specify this alternate common cert to use instead of the PuppetDB node's agent cert. However, if you later use puppetdb ssl-setup, which is very commonly used in troubleshooting scenarios, this will always be overwritten, due to the way the command determines what cert to use: mycertname=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint certname`   orig_public_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint hostcert` orig_private_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint hostprivkey` orig_ca_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint localcacert` That's definitely going to make troubleshooting PuppetDB issues cumbersome for LEI customers. One potential remediation could be to include a command line flag for specifying an arbitrary certname, something like: puppetdb ssl-setup --certname foobaz Add Comment

This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)

[Zachary Stern (JIRA)]

Zachary Stern commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames Brett Gray you might care about this.

Add Comment

[Brett Gray (JIRA)]

Brett Gray commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames

Good call Zachary Stern, I found this issue the other day doing an engagement and clearly forgot to raise a ticket!

Add Comment

[Zachary Stern (JIRA)]

Zachary Stern updated an issue

PuppetDB / PDB-1085

`puppetdb ssl-setup` should allow arbitrary certnames

Change By: Zachary Stern

Currently, in order to load balance PuppetDB in PE, you need to configure your multiple PuppetDBs to use a single shared certificate.

The {{puppet_enterprise::profile::puppetdb}} class  including  included  with PE allows you to specify this alternate common cert to use instead of the PuppetDB node's agent cert. However, if you later use {{puppetdb ssl-setup}}, which is *very* commonly used in troubleshooting scenarios, this will always be overwritten, due to the way the command determines what cert to use: {code}

mycertname=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint  certname` orig_public_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint  hostcert` orig_private_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint hostprivkey` orig_ca_file=`puppet master --confdir=$agent_confdir --vardir=$agent_vardir --configprint localcacert`

{code}

That's definitely going to make troubleshooting PuppetDB issues cumbersome for LEI customers.

One potential remediation could be to include a command line flag for specifying an arbitrary {{certname}}, something like: {{puppetdb ssl-setup --certname foobaz}}

Add Comment

[Zachary Stern (JIRA)]

Zachary Stern commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames Kenneth Barber do you have feelings about this?

Add Comment

[Kenneth Barber (JIRA)]

Kenneth Barber updated an issue

PuppetDB / PDB-1085

`puppetdb ssl-setup` should allow arbitrary certnames

Change By: Kenneth Barber Story Points: 3

Add Comment

[Zee Alexander (JIRA)]

Zee Alexander commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames Kenneth Barber this is still valid. We still need to generate certificates that share common certnames for load balancing multiple PuppetDBs at this time.

Add Comment

This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc)

[Russell Mull (JIRA)]

Russell Mull commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames

Zee Alexander I'd expect dns-alt-names to be used for load balancing situations; would the ability to specify that in ssl-setup give you what you need?

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Russell Mull (JIRA)]

Russell Mull updated an issue

PuppetDB / PDB-1085

`puppetdb ssl-setup` should allow arbitrary certnames

Change By: Russell Mull Labels: triaged

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

PuppetDB / PDB-1085 `puppetdb ssl-setup` should allow arbitrary certnames

Change By: Moses Mendoza Labels: triaged

Add Comment

[Nick Walker (JIRA)]

Nick Walker commented on PDB-1085

Re: `puppetdb ssl-setup` should allow arbitrary certnames Russell Mull I believe you have to use the same cert due to puppetserver something or other. See puppetdb-behind-a-load-balancer-causes-puppet-server-errors and https://github.com/pizzaops/pizzaops-puppetdb_shared_cert But this ticket may be dated as well. I'm not sure you can use puppetdb ssl-setup in PE without causing some issues. See PE-16316

Add Comment

[Claudia Petty (Jira)]

Claudia Petty updated an issue

PuppetDB / PDB-1085

`puppetdb ssl-setup` should allow arbitrary certnames

Change By: Claudia Petty Labels: new-feature

Add Comment

This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)