Scheduled changes to SSL certs
18 views
Skip to first unread message
Jonathan Gazeley
Oct 16, 2015, 6:11:45 AM10/16/15
to Puppet Users
Here's a problem that might have an interesting solution.
I use Puppet to deploy (amongst other things) SSL certs for web servers.
One of my certs is expiring in January 2016 and I have already been sent
the replacement. They overlap by 7 days. I might forget to make the
change in January so I was wondering if there is a way of configuring
Puppet today to magically switch over the certs in January. (i.e.
continue deploy the current cert until a specific date and then deploy
the new one instead)
I see the generate function can be used to execute system calls to fetch
the date but I'm not sure about date comparisons in Puppet. I guess I
would need to use epoch time to compare as integers.
$date = generate("/bin/date +%s")
if $date > 1451606400 {
$cert = "newcert.crt"
} else {
$cert = "oldcert.crt"
}
file { 'cert.crt'
source => $cert
}
I also saw that Felix commented on a similar question on ServerFault:
"As an aside, I would personally refrain from implementing this kind of
thing. It comes with a high risk of falling onto your foot pretty
heavily. Don't build your friendly surprises into Puppet."
Cheers,
Jonathan
I use Puppet to deploy (amongst other things) SSL certs for web servers.
One of my certs is expiring in January 2016 and I have already been sent
the replacement. They overlap by 7 days. I might forget to make the
change in January so I was wondering if there is a way of configuring
Puppet today to magically switch over the certs in January. (i.e.
continue deploy the current cert until a specific date and then deploy
the new one instead)
I see the generate function can be used to execute system calls to fetch
the date but I'm not sure about date comparisons in Puppet. I guess I
would need to use epoch time to compare as integers.
$date = generate("/bin/date +%s")
if $date > 1451606400 {
$cert = "newcert.crt"
} else {
$cert = "oldcert.crt"
}
file { 'cert.crt'
source => $cert
}
I also saw that Felix commented on a similar question on ServerFault:
"As an aside, I would personally refrain from implementing this kind of
thing. It comes with a high risk of falling onto your foot pretty
heavily. Don't build your friendly surprises into Puppet."
Cheers,
Jonathan
Christopher Wood
Oct 16, 2015, 7:06:44 AM10/16/15
to puppet...@googlegroups.com
Have your monitoring system pop up a critical alert for any certs which will expire in the next week. Have a patch ready to go for your pp/eyaml files.
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5620CD53.9000808%40bristol.ac.uk.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5620CD53.9000808%40bristol.ac.uk.
> For more options, visit https://groups.google.com/d/optout.
Thomas Müller
Oct 16, 2015, 7:10:11 AM10/16/15
to Puppet Users
You could use the strftime function from stdlib instead of generate.
I don't know a better way as comparing dates in a conditional.
David Schmitt
Oct 16, 2015, 8:56:28 AM10/16/15
to puppet...@googlegroups.com
resource intensive:
https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/lib/puppet/parser/functions/time.rb
A different approach would be to use strftime (also from stdlib) to
interpolate the current year into the source URL of your cert and have
them called 'cert-2015.pem' and 'cert-2016.pem'
Felix' comment should be heeded, though. Especially the latter version
will "cause" an outage at the most inconvenient time of the year:
2016-01-01T00:10.
Cheers, David
Reply all
Reply to author
Forward
0 new messages