Giter Site home page Giter Site logo

ca_extend's Introduction

ca_extend

Table of Contents

  1. Overview
  2. Description - What the module does and why it is useful
  3. Setup - The basics of getting started with this module
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing
  6. Development - Guide for contributing to the module

Overview

This module can extend a certificate authority (CA) that's about to expire or has already expired.

A Puppet CA certificate is only valid for a finite time (a new installation of PE 2019.x / Puppet 6.x will create a 15 year CA, while earlier versions will create a 5 year CA; and upgrading does not extend the CA.), after which it expires. When a CA certificate expires, Puppet services will no longer accept any certificates signed by that CA, and your Puppet infrastructure will immediately stop working.

If your CA certificate is expiring soon (or it's already expired), you need to:

  • Generate a new CA certificate using the existing CA keypair.
  • Distribute the new CA certificate to agents.

This module can automate those tasks.

Description

This module is composed of Plans and Tasks to extend the expiration date of the CA certificate in Puppet Enterprise (and Puppet Open Source) and distribute that CA certificate to agents.

Note that, with Puppet Open Source, if the CA certificate is only used by the Puppet CA and no other integrations, there is no further action to take after using the two Plans. However, if it is used for other integrations (such as SSL encrypted PuppetDB traffic) then those integrations will need to have their copy of the CA certificate updated. If the CA certificate is stored in any keystores, those will also need to be updated.

The functionality of this module is composed into two Plans:

  • ca_extend::extend_ca_cert
    • Extend the CA certificate and configure the primary Puppet server and any Compilers to use that extended certificate.
  • ca_extend::upload_ca_cert
    • Distribute the CA certificate to agents using transport supported by Puppet Bolt, such as ssh and winrm.

Regardless of whether the CA certificate is expired, the extend_ca_cert plan may be used to extend its expiration date in-place and configure the primary Puppet server and any Compilers to use it.

After the CA certificate has been extended, there are three methods for distributing it to agents:

  1. Using the ca_extend::upload_ca_cert plan or another method to copy the CA certificate to agents.
  2. Manually deleting ca.pem on agents and letting them download that file as part of the next Puppet agent run. The agent will download that file only if it is absent, so it must be deleted to use this method.
  3. Using a Puppet file resource to manage ca.pem. Note: This method is only possible if the CA certificate has not yet expired because Puppet communications depend upon a valid CA certificate.

There are also complementary tasks to check the expiration date of the CA certificate, agent certificates, and the CA CRL.

  • ca_extend::check_ca_expiry
    • Checks if the CA certificate expires by a certain date. Defaults to three months from today.
  • ca_extend::check_agent_expiry
    • Checks if any agent certificate expires by a certain date. Defaults to three months from today.
  • ca_extend::check_crl_expiry
    • Checks if the CA crl on the primary server has expired
  • ca_extend::crl_truncate
    • Will truncate and regenerate the CA CRL, this should only be run if the CRL is expired

** If the CA certificate is expiring or expired, you must extend it as soon as possible. **

Setup

This module requires Puppet Bolt >= 1.38.0 on either on the primary Puppet server or a workstation with connectivity to the primary.

The installation procedure will differ depending on the version of Bolt. If possible, using Bolt >= 3.0.0 is recommended. For example, this will install the latest Bolt version on EL 7.

sudo rpm -Uvh https://yum.puppet.com/puppet-tools-release-el-7.noarch.rpm
sudo yum install puppet-bolt

The following two sections show how to install the module dependencies depending on the installed version of Bolt.

Bolt >= 1.38.0 < 3.0.0

The recommended procedure for these versions is to use a Bolt Puppetfile. From within a Boltdir, specify this module and puppetlabs-stdlib as dependencies and run bolt puppetfile install. For example:

mkdir -p ~/Boltdir
cd ~/Boltdir

cat >>Puppetfile <<EOF
mod 'puppetlabs-stdlib'

mod 'puppetlabs-ca_extend'
EOF

bolt puppetfile install

Bolt >= 3.0.0

The recommended procedure for these versions is to use a Bolt Project. When creating a Bolt project, specify this module and puppetlabs-stdlib as dependencies and initialize the project. For example:

sudo rpm -Uvh https://yum.puppet.com/puppet-tools-release-el-7.noarch.rpm
sudo yum install puppet-bolt

If your primary Puppet server or workstation has internet access, the project can be initialized with the needed dependencies with the following:

mkdir ca_extend
cd ca_extend

bolt project init expiry --modules puppetlabs-stdlib,puppetlabs-ca_extend

Otherwise, if your primary Puppet server or workstation operates behind a proxy, initialize the project without the --modules option:

mkdir ca_extend
cd ca_extend

bolt project init expiry

Then edit your bolt-project.yaml to use the proxy according to the documentation. Next, add the module dependencies to bolt-project.yaml:

---
name: expiry
modules:
  - name: puppetlabs-stdlib
  - name: puppetlabs-ca_extend

Finally, install the modules.

bolt module install

See the "Usage" section for how to run the tasks and plans remotely or locally on the primary Puppet server.

Dependencies

  • A Puppet Bolt >= 1.38.0
  • puppetlabs-stdlib
  • A base64 binary on the primary Puppet server which supports the -w flag
  • bash >= 4.0 on the primary Puppet server

Usage

Extend the CA using the ca_extend::extend_ca_cert plan

First, check the expiration of the Puppet agent certificate by running the following command as root on the primary Puppet server:

/opt/puppetlabs/puppet/bin/openssl x509 -in "$(/opt/puppetlabs/bin/puppet config print hostcert)" -enddate -noout

If, and only if, the notAfter date printed has already passed, then the primary Puppet server certificate has expired and must be cleaned up before the CA can be regenerated. This can be accomplished by passing regen_primary_cert=true to the ca_extend::extend_ca_cert plan.

Note: This plan will also run the ca_extend::check_crl_cert task and if the crl is expired, will automatically resolve the issue by running the ca_extend::crl_truncate task.

bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets <primary_fqdn> compilers=<comma_separated_compiler_fqdns> --run-as root

Note that if you are running extend_ca_cert locally on the primary Puppet server, you can avoid potential Bolt transport issues by specifying --targets local://hostname, e.g.

bolt plan run ca_extend::extend_ca_cert --targets local://hostname --run-as root

Distribute ca.pem to agents

Next, distribute ca.pem to agents using one of the three methods:

1. Using the ca_extend::upload_ca_cert Plan

Using the ca_extend::upload_ca_cert plan relies on using ssh and/or winrm transport methods. Use the cert parameter to specify the location of the updated CA cert on the primary server. For example, you may use cert=$(puppet config print localcacert). Distribute the CA certificate to agent nodes specified in the targets parameter. Bolt defaults to using ssh transport, which in turn will use ~/.ssh/config for options such as username and private-key. However, the ca_extend::upload_ca_cert plan works best with a Bolt inventory file to specify targets; this allows for simultaneous uploads to *nix and Windows agents. See the Bolt documentation for more information on configuring an inventory file and the targets parameter.

bolt plan run ca_extend::upload_ca_cert cert=<path_to_cert> --targets <TargetSpec>

As an alternative to using the targets parameter, you may specify targets for the ca_extend::upload_ca_cert plan by connecting Bolt to PuppetDB, after which the --query parameter can be used.

Example query for all agent nodes excluding puppetserver nodes because the ca_extend::extend_ca_cert plan already updates the primary's and compilers' copies of the CA certificate:

bolt plan run ca_extend::upload_ca_cert cert=<path_to_cert> --query "nodes[certname]{! certname in ['primaryfqdn', 'compiler1fqdn', 'compiler2fqdn']}"

2. Manually deleting ca.pem on agents and letting them download that file as part of the next Puppet agent run

The agent will download ca.pem only if it is absent, so it must be deleted to use this method.

For example, on an *nix agent node delete ca.pem by running:

rm $(puppet config print localcacert)

Next, run puppet so the agent will retreive ca.pem:

puppet agent -t

Note: If you are depending on agent nodes downloading ca.pem during a scheduled Puppet run rather than manually initiating a Puppet run with puppet agent -t, you may need to restart the puppet service on *nix nodes. This is because the Puppet agent daemon on *nix nodes could have previous CA content loaded into memory.

3. Using a Puppet file resource to manage ca.pem

You may add this code to the catalog received by your agent nodes; the code manages ca.pem on Windows and *nix nodes with the contents of ca.pem on the compiling server (primary server or compiler). The code will not work with a serverless approach such as puppet apply. Note: This method is only possible if the CA certificate has not yet expired because Puppet communications depend upon a valid CA certificate.

  $localcacert = $facts['os']['family'] ? {
    'windows' => 'C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\ca.pem',
    default   => '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
  }
  file {$localcacert:
    ensure  => file,
    content => file($settings::localcacert),
  }

ca_extend::check_ca_expiry Task

You can use this task to check the CA cert expiry on the primary mainly but you can also use it to check that a remote *nix node's CA cert has been updated after using any means to distribute the new CA certificate.

bolt task run ca_extend::check_ca_expiry --targets <TargetSpec>

ca_extend::check_agent_expiry Task

You can use this task to categorize all PE certs in a PE environment as part of a valid or expiring section based on a customizable date in the future (default 3 months from now). This task runs against a primary server and checks all certs under /etc/puppetlabs/puppet/ssl/ca/signed as the single source of truth for the PE environment and splits the certs between a valid section or expiring section.

bolt task run ca_extend::check_agent_expiry --targets local://hostname

As such, the following output illustrates that all available certs in /etc/puppetlabs/puppet/ssl/ca/signed are valid and nothing is expiring in the next 3 months.

[root@pe-server-7a5b76-0 ca_extend]# bolt task run ca_extend::check_agent_expiry --targets local://hostname
Started on local://pe-server-7a5b76-0.us-west1-c.internal...
Finished on local://pe-server-7a5b76-0.us-west1-c.internal:
  {
    "valid": [
      {
        "console-cert.pem": "Jan 14 19:55:34 2024 GMT"
      },
      {
        "critical-boom.delivery.puppetlabs.net.pem": "Apr 21 17:57:20 2027 GMT"
      },
      {
        "irate-maple.delivery.puppetlabs.net.pem": "Apr 21 19:25:35 2027 GMT"
      }
    ],
    "expired": [

    ]
  }

Successful on 1 target: local://pe-server-7a5b76-0.us-west1-c.internal
Ran on 1 target in 1.32 sec

See REFERENCE.md for more detailed examples.

Reference

Puppet's security is based on a PKI using X.509 certificates.

This module's ca_extend::extend_ca_cert plan creates a new self-signed CA certificate using the same keypair as the prior self-signed CA. The new CA has the same:

  • Keypair.
  • Subject.
  • Issuer.
  • X509v3 Subject Key Identifier (the fingerprint of the public key).

The new CA has a different:

  • Authority Key Identifier (just the serial number, since it's self-signed).
  • Validity period (the point of the whole exercise).
  • Signature (since we changed the serial number and validity period).

Since Puppet's services (and other services that use Puppet's PKI) validate certificates by trusting a self-signed CA and comparing its public key to the Signatures and Authority Key Identifiers of the certificates it has issued, it's possible to issue a new self-signed CA certificate based on a prior keypair without invalidating any certificates issued by the old CA. Once you've done that, it's just a matter of delivering the new CA certificate to every participant in the PKI.

How to Report an issue or contribute to the module

If you are a PE user and need support using this module or are encountering issues, our Support team would be happy to help you resolve your issue and help reproduce any bugs. Just raise a ticket on the support portal.

If you have a reproducible bug or are a community user you can raise it directly on the Github issues page of the module here. We also welcome PR contributions to improve the module. Please see further details about contributing here

Supporting Content

Articles

The Support Knowledge base is a searchable repository for technical information and how-to guides for all Puppet products.

This Module has the following specific Article(s) available:

  1. Check and fix the expiry date for your CA certificate in Puppet Enterprise

Videos

The Support Video Playlist is a resource of content generated by the support team

ca_extend's People

Contributors

bastelfreak avatar coreymbe avatar elainemccloskey avatar gavindidrichsen avatar gmcgrillan avatar henrywangpuppet avatar jarretlavallee avatar jordi-garcia avatar m0dular avatar martyewings avatar puppet-sup avatar sharpie avatar taikaa avatar tkishel avatar

Stargazers

avatar

Watchers

avatar avatar

Forkers

sharpie mirandastreeter cjswart asselvakumar terrorizer1980 jarretlavallee gavindidrichsen-forks martyewings derek-robinson henrywangpuppet jordi-garcia taikaa coreymbe elainemccloskey mathewjose251 prolixalias m0dular

ca_extend's Issues

(SUP-2655) Bolt version needs updated

The minimum version required is incorrect and needs updated. The module wouldn't work with 1.33 and error'ed out with messages about nodes and targets not found. Upgrading to the latest version fixed the issue, but I'm not sure what the minimum would be.

This module requires Puppet Bolt >= 1.2.0 on either on the primary Puppet server or a workstation with connectivity to the primary.

Use aggregate::targets function in upload plan

Currently the upload_ca_cert plan does some... interesting things in Puppet code to aggregate the results. This was written before the aggregate::targets function/plan existed, and this is probably a better solution to use. We may be able to convert the upload plan to a task, or use bolt file upload instead if that works with aggregation.

ca_extend::check_agent_expiry task runs against primary server and not agent nodes

Describe the Change You Would Like

Currently, the readme says:

* ca_extend::check_agent_expiry
Checks if any agent certificate expires by a certain date. Defaults to three months from today.

and provides the following example for usage

bolt task run ca_extend::check_agent_expiry --targets <TargetSpec>

as per code for this task, the only valid <TargetSpec> is the primary server either by using the localhost ref or its fqdn, if run remotely. This needs to be clarified in more detailed so one doesn't replace <TargetSpec> by agent nodes which is a valid ref for the 2 previous examples given in the documentation:

bolt plan run ca_extend::upload_ca_cert cert=<path_to_cert> --targets <TargetSpec>
bolt task run ca_extend::check_ca_expiry --targets <TargetSpec>

Incorrect Error handling ref for upload_ca_cert.pp

Describe the Bug

When using ca_extend::upload_ca_cert plan (e.g. bolt plan run ca_extend::upload_ca_cert cert=$(puppet config print localcacert) --targets XXXX), the plan results on the below Evaluation Error:

Evaluation Error: A substring operation does not accept a String as a character index. Expected an Integer (file: /root/ca_extend/.modules/ca_extend/plans/upload_ca_cert.pp, line: 16, column: 13)
  (file: /root/ca_extend/.modules/ca_extend/plans/upload_ca_cert.pp, line: 16, column: 13)

Expected Behavior

Proceed as normal and handle errors appropriately

Steps to Reproduce

Run bolt plan run ca_extend::upload_ca_cert cert=$(puppet config print localcacert) --targets XXXX

Environment

  • bolt --version 3.23.1
  • puppetlabs-ca_extend", "version": "3.1.0"

Additional Context

upload_ca_cert.pp, line: 16 uses ref => 'Error'['bolt/run-failure']
but the correct ref is => Error['bolt/run-failure']

with this update the plan is able to handle errors correctly as per below:

[root@pe-server-7a5b76-0 ca_extend]# bolt plan run ca_extend::upload_ca_cert cert=$(puppet config print localcacert) --targets pe-node-7a5b76-0
Starting: plan ca_extend::upload_ca_cert
Starting: plan ca_extend::get_agent_facts
Starting: install puppet and gather facts on pe-node-7a5b76-0
Finished: plan ca_extend::get_agent_facts in 0.22 sec
Starting: plan facts
Starting: task facts on pe-node-7a5b76-0
Finished: task facts with 1 failure in 0.05 sec
Finished: plan facts in 0.05 sec
Finished: plan ca_extend::upload_ca_cert in 0.3 sec
{
  "failure": {
    "pe-node-7a5b76-0": {
      "_error": {
        "details": {
          "file": "/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.23.1/modules/facts/plans/init.pp",
          "line": 8
        },
        "kind": "puppetlabs.tasks/connect-error",
        "msg": "Host key verification failed for pe-node-7a5b76-0: fingerprint SHA256:z2wTsygpN10nNpUJuXn9541HrJilOkmtln1PsRVbnkg is unknown for \"pe-node-7a5b76-0,10.253.3.210\"",
        "issue_code": "HOST_KEY_ERROR"
      }
    }
  }
}

The ca_extend::extend_ca_cert plan fails on PE 2021.0 with regen_primary_cert=true

Describe the Bug

When run against a PE 2021.0 standard install, the ca_extend::extend_ca_cert plan fails with regen_primary_cert=true as puppet infrastructure configure can't regenerate a missing primary certificate. For added fun, infra configure exits with a success code, so the plan appears to work, but puppet agent -t still fails.

Expected Behavior

bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true results in puppet agent -t working when run against an expired PE 2021.0 installation.

Steps to Reproduce

Steps to reproduce the behavior:

  • Acquire a virtual machine running CentOS 7.
  • Set the system clock back in time 5 years:
timedatectl set-ntp false
timedatectl set-time "$(date --date='5 years ago' +'%Y-%m-%d %H:%M:%S')"
  • Install PE 2018.1.18. Run puppet agent -t twice to verify everything works.
  • Upgrade to PE 2019.8.5
  • Upgrade to PE 2021.0
  • Run puppet agent -t to verify everything still works.
  • Re-enable NTP with timedatectl set-ntp true. puppet agent -t should now fail as all certificates have expired.
  • Use m0dular/crl_truncate to clear out the expired CRL (this is rare to encounter on a real-world install as some revocation activity usually occurs to regularly advance the CRL expiration date)
  • Run the ca_extend::extend_ca_cert plan with regen_primary_cert=true
  • Run puppet agent -t

Environment

  • Version: puppetlabs-ca_extend 2.1.0
  • Platform: Any PE primary platform

Additional Context

Output from puppet infrastructure configure shows an early failure when trying to run puppetserver ca generate to recreate the primary certificate:

Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/temporal-test.platform9.puppet.net.pem'
Error: Run `puppet agent -t`
Warning: Error connecting to temporal-test.platform9.puppet.net on 8081 at route https://temporal-test.platform9.puppet.net:8081/pdb/query/v4, error message received was 'Request to https://temporal-test.platform9.puppet.net:8081/pdb/query/v4 failed after 0.003 seconds: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/temporal-test.platform9.puppet.net.pem''. Failing over to the next PuppetDB server_url in the 'server_urls' list
Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/temporal-test.platform9.puppet.net.pem'
Error: Run `puppet agent -t`
2021-03-17T18:34:01.467+00:00 - [Notice]: Compiled catalog for temporal-test.platform9.puppet.net in environment enterprise in 5.81 seconds
2021-03-17T18:34:10.343+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Error:
2021-03-17T18:34:10.343+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/private_keys/temporal-test.platform9.puppet.net.pem'
2021-03-17T18:34:10.343+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Existing file at '/etc/puppetlabs/puppetserver/ca/signed/temporal-test.platform9.puppet.net.pem'
2021-03-17T18:34:10.343+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Please delete these files if you really want to generate a new cert for temporal-test.platform9.puppet.net.
2021-03-17T18:34:10.346+00:00 - [Error]: '/opt/puppetlabs/bin/puppetserver ca generate --certname temporal-test.platform9.puppet.net --ca-client --subject-alt-names 'puppet'' returned 1 instead of one of [0]
2021-03-17T18:34:10.350+00:00 - [Error]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca generate --certname temporal-test.platform9.puppet.net --ca-client --subject-alt-names 'puppet'' returned 1 instead of one of [0]
2021-03-17T18:34:10.352+00:00 - [Notice]: /Stage[main]/Puppet_enterprise::Pxp_agent::Service/Service[pxp-agent]: Dependency Exec[generate node cert] has failures: true
...

check_agent_expiry does not handle dates correctly

Describe the Bug

The check_agent_expiry task improperly shows certs are going to expire soon when they have several years left.

Expected Behavior

The check_agent_expiry should only show certificates that are expired or going to expire in the next 3 months.

Steps to Reproduce

  1. Generate certificates within 3 months of the current date that expire in several years
  2. Run the task
  3. Notice that it does not account for the year

Cert examples

These certs show in the expired array in the json output.

# /opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/signed/server-c.pem -enddate -noout
notAfter=May 6 00:54:51 2025 GMT
# /opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/signed/server-b.pem -enddate -noout
notAfter=Jan 22 22:26:44 2024 GMT
# /opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/signed/server-a.pem -enddate -noout
notAfter=Apr 16 18:30:43 2025 GMT

ca_extend uses hardcoded paths to files and directories

Describe the Bug

The tasks and plans in the ca_extend module read and write various files. In some cases, hardcoded paths are used such as: /etc/puppetlabs/puppet/ssl/, /etc/puppetlabs/puppet/ssl/ca/ or /etc/puppetlabs/puppet/ssl/certs/ca.pem.

These paths are configurable via puppet.conf and so the relevant settings, ssldir, cadir, localcacert, etc., should be read via puppet config print. This is especially important with the Puppet 6 -> Puppet 7 upgrade that changes the default location of cadir from /etc/puppetlabs/puppet/ssl/ca/ to /etc/puppetlabs/puppetserver/ca.

ca_extend::check_agent_expiry not providing any information

Describe the Bug

When ca_extend::check_agent_expiry against an agent, we don't receive any cert details.

{
    "valid": [
  
    ],
    "expiring": [
  
    ]
  }

Expected Behavior

We should be getting some valid return such as

{"valid": ["Sep 15 09:41:01 2026 GMT"], "expiring": []}

Steps to Reproduce

Run bolt task run ca_extend::check_agent_expiry --targets=<AGENT NAME>

which produces

Started on <AGENT NAME>...
Finished on <AGENT NAME>:
  {
    "valid": [
  
    ],
    "expiring": [
  
    ]
  }

Environment

"name": "puppetlabs-ca_extend",
"version": "3.0.0",
Using PE 2019.8.7 primary and agent in centos

Additional Context

When looking at https://github.com/puppetlabs/ca_extend/blob/main/tasks/check_agent_expiry.sh#L24-L37, the for loop uses puppet config print signeddir and feels that it should use puppet config print hostcert instead.

Maybe consider the below code to replace https://github.com/puppetlabs/ca_extend/blob/main/tasks/check_agent_expiry.sh#L24-L41

hostcert="$(puppet config print hostcert)"

# The -checkend command in openssl takes a number of seconds as an argument
# However, on older versions we may overflow a 32 bit integer if we use that
# So, we'll use bash arithmetic and `date` to do the comparison

expiry_date="$(${openssl} x509 -in "${hostcert}" -enddate -noout)"

expiry_date="${expiry_date#*=}"

expiry_seconds="$(date --date="$expiry_date" +"%s")" || fail "Error calculating expiry date from enddate"

if (( to_date >= expiry_seconds )); then
  expired+=("\"$expiry_date\"")
else
  valid+=("\"$expiry_date\"")
fi

# This is ugly, we as of now we don't include jq binaries in Bolt
# As long as there aren't weird characters in certnames it should be ok
(IFS=,; printf '{"valid": [%s], "expired": [%s]}' "${valid[*]}" "${expired[*]}")

The above code output produces the following results:

bolt task run ca_extend::check_agent_expiry --targets=<AGENT NAME>
Started on <AGENT NAME>...
Finished on <AGENT NAME>:
  {
    "valid": [
      "Sep 15 09:41:01 2026 GMT"
    ],
    "expired": [
  
    ]
  }
Successful on 1 target: <AGENT NAME>
Ran on 1 target in 2.1 sec

Add Shellcheck to CI

SC1090 is disabled in most files. Let's disable it globally in CI. SHELLCHECK_OPTS="--exclude SC1090" to reduce the redundant disabling of it. shellcheck can be added to the travis-ci.yml like the following.

https://github.com/puppetlabs/support-tasks/blob/master/.sync.yml#L25-L34
https://github.com/puppetlabs/support-tasks/blob/master/.sync.yml#L48-L49
https://github.com/puppetlabs/support-tasks/blob/master/.sync.yml#L59-L62

Then run pdk update to sync the changes to the travis file.

The ca_extend::extend_ca_cert plan fails if the primary certificate has expired

Describe the Bug

If the expiration date for the primary certificate in a Puppet Installation has already passed, the ca_extend::extend_ca_cert plan will successfully extend the CA certificate but then fail when puppet infrastructure configure --no-recover is run to move the new CA certificate into place.

Expected Behavior

The first step of recovering from an expired CA completes successfully, even if the PKI infrastructure of a Puppet installation has completely expired.

Steps to Reproduce

Steps to reproduce the behavior:

  • Acquire a virtual machine running CentOS 7.

  • Set the system clock back in time 5 years:

timedatectl set-ntp false
timedatectl set-time "$(date --date='5 years ago' +'%Y-%m-%d %H:%M:%S')"

  • Install PE 2018.1.18. Run puppet agent -t twice to verify everything works.

  • Re-enable NTP with timedatectl set-ntp true. puppet agent -t should now fail as all certificates have expired.

  • Run the ca_extend::extend_ca_cert plan. It will fail while trying to run puppet infrastructure configure:

# bolt --version
2.44.0

# bolt puppetfile show_modules
# bolt puppetfile show-modules
...
/root/Boltdir/modules
  puppetlabs/ca_extend   1.2.1
  puppetlabs/stdlib      6.6.0
...

# bolt plan run ca_extend::extend_ca_cert --targets "local://$(puppet config print certname)"
Starting: plan ca_extend::extend_ca_cert
Starting: install puppet and gather facts on local://20198-primary.p9.test
The local transport will default to using Bolt's Ruby interpreter and setting the 'puppet-agent' feature in Bolt 3.0. Enable or disable these defaults by setting 'bundled-ruby' in the local transport config. [ID: local_default_config]
Finished: install puppet and gather facts with 0 failures in 9.79 sec
Starting: task facts on local://20198-primary.p9.test
Finished: task facts with 0 failures in 11.05 sec
INFO: Stopping Puppet services on local://20198-primary.p9.test
Starting: task service::linux on local://20198-primary.p9.test
Finished: task service::linux with 0 failures in 0.13 sec
Starting: task service::linux on local://20198-primary.p9.test
Finished: task service::linux with 0 failures in 1.22 sec
Starting: task service::linux on local://20198-primary.p9.test
Finished: task service::linux with 0 failures in 0.16 sec
INFO: Extending CA certificate on local://20198-primary.p9.test
Starting: task ca_extend::extend_ca_cert on local://20198-primary.p9.test
Finished: task ca_extend::extend_ca_cert with 0 failures in 2.42 sec
INFO: Configuring local://20198-primary.p9.test to use the extended CA certificate
Starting: task ca_extend::configure_master on local://20198-primary.p9.test
Finished: task ca_extend::configure_master with 1 failure in 82.77 sec
Finished: plan ca_extend::extend_ca_cert in 1 min, 48 sec
Failed on local://20198-primary.p9.test:
  The task failed with exit code 1
  2021-02-05T01:15:53.722+00:00 - [Notice]: Compiled catalog for 20198-primary.p9.test in environment enterprise in 5.25 seconds
  2021-02-05T01:15:59.716+00:00 - [Notice]: /Stage[main]/Puppet_enterprise::Profile::Controller/File[/etc/puppetlabs/client-tools/ssl/certs/ca.pem]/content: content changed '{md5}23cbdcd36f1cec6b03e0a7e830d6be9c' to '{md5}d1cd9af62234c6c5e48636aca1b7811d'
  2021-02-05T01:16:00.843+00:00 - [Notice]: /Stage[main]/Pe_install::Install/Service[puppet]/ensure: ensure changed 'stopped' to 'running'
  2021-02-05T01:16:07.264+00:00 - [Notice]: /Stage[main]/Pe_postgresql::Server::Service/Service[postgresqld]/ensure: ensure changed 'stopped' to 'running'
  2021-02-05T01:16:44.655+00:00 - [Notice]: /Stage[main]/Puppet_enterprise::Master::Puppetserver/Puppet_enterprise::Trapperkeeper::Pe_service[puppetserver]/Service[pe-puppetserver]/ensure: ensure changed 'stopped' to 'running'
  { "status": "error", "message": "Error running 'puppet infrastructure configure'", "stderr": "Error: Failed to initialize SSL: The certificate 'CN=20198-primary.p9.test' has expired, verify time is synchronized Error: Run `puppet agent -t` Error: Failed to initialize SSL: The certificate 'CN=20198-primary.p9.test' has expired, verify time is synchronized Error: Run `puppet agent -t` 2021-02-05T01:16:48.076+00:00 - [Error]: Failed to initialize SSL: The certificate 'CN=20198-primary.p9.test' has expired, verify time is synchronized 2021-02-05T01:16:48.076+00:00 - [Error]: Run `puppet agent -t` 2021-02-05T01:16:48.077+00:00 - [Error]: Could not prefetch pe_node_group provider 'ruby': The certificate 'CN=20198-primary.p9.test' has expired, verify time is synchronized 2021-02-05T01:16:48.251+00:00 - [Error]: Failed to apply catalog: The certificate 'CN=20198-primary.p9.test' has expired, verify time is synchronized " }
Failed on 1 target: local://20198-primary.p9.test

ca_extend repo is missing Git tags for each module release

Describe the Bug

Each module release should have an associated Git tag so that the exact source code for a module can be quickly pulled up when investigating issues. Tags also enable installation of modules from Git sources for folks that don't use Forge releases.

ca_extend::upload_ca_cert plan doesn't from from the console

Describe the Bug

Whenever the ca_extend::upload_ca_cert plan gets executed as a Bolt command, it works as expected as per below.

Bolt implementation

However, the same ca_extend::upload_ca_cert plan is executed from the console with the same details, it doesn't work and reports Could not find file: /etc/puppetlabs/puppet/ssl/certs/ca.pem as per below:

ca_extend upload_ca_cert

Environment

  • puppetlabs-ca_extend (v3.2.0)
  • PE 2019.8.7 and PE 2021.3

Support External PE Postgres

In my fork of the module, we closed an issue to support split installs because they are a deprecated architecture. However, because external PE Postgres (i.e. a dedicated postgres node managed by PE code) is a feature of PE XL, we need a solution for this.

Currently, the plan only restarts pe-postgresqlon the primary. In the event of an expired CA in PE XL, I'm not sure if this would fail or be enough to fix the services on the primary, but the postgres node(s) would still be down.

(SUP-2743) The ca_extend::extend_ca_cert plan fails if the CRL is expired

Describe the Bug

If the hostcrl or cacrl files are expired, the ca_extend::extend_ca_cert plan will fail with validation errors when attempting to copy an extended CA certificate into place or re-generate the certificate of a primary.

This is somewhat of an edge case as most installs have some amount of regular revocation activity that keeps the CRL fresh. However, it complicates testing.

Expected Behavior

bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true works when run against a PE installation with an expired CRL.

Steps to Reproduce

Steps to reproduce the behavior:

  • Acquire a virtual machine running CentOS 7.
  • Set the system clock back in time 5 years:
timedatectl set-ntp false
timedatectl set-time "$(date --date='5 years ago' +'%Y-%m-%d %H:%M:%S')"
  • Install PE 2018.1.18. Run puppet agent -t twice to verify everything works.
  • Upgrade to PE 2019.8.5
  • Run puppet agent -t to verify everything still works.
  • Re-enable NTP with timedatectl set-ntp true. puppet agent -t should now fail as all certificates have expired.
  • Use m0dular/crl_truncate to clear out the expired CRL (this is rare to encounter on a real-world install as some revocation activity usually occurs to regularly advance the CRL expiration date)
  • Run the ca_extend::extend_ca_cert plan with regen_primary_cert=true

Environment

  • Version: puppetlabs-ca_extend 2.1.0
  • Platform: Any PE primary platform

Additional Context

The ca_extend::configure_master plan fails shortly after running puppet infrastructure configure due to TLS validation issues caused by the expired CRL:

2021-03-18T23:31:26.291+00:00 - [Notice]: Compiled catalog for temporal-test.platform9.puppet.net in environment enterprise in 6.36 seco
nds
2021-03-18T23:31:32.895+00:00 - [Notice]: /Stage[main]/Puppet_enterprise::Profile::Controller/File[/etc/puppetlabs/client-tools/ssl/cert
s/ca.pem]/content: content changed '{md5}a33e533fc43aa3e1e55cf155e864931d' to '{md5}a1d86bf1b23d63e833d0a27f68b17fe1'
2021-03-18T23:31:34.205+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Pe_install::Stop_service[stop pe-puppetserver b
efore cert generation]/Service[Shutdown pe-puppetserver before []]/enable: enable changed 'true' to 'false'
2021-03-18T23:31:34.531+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Error:
2021-03-18T23:31:34.531+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Leaf certific
ate could not be validated
2021-03-18T23:31:34.531+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: Validating ce
rt store returned: 12 - CRL has expired
2021-03-18T23:31:34.531+00:00 - [Notice]: /Stage[main]/Pe_install::Prepare::Certificates/Exec[generate node cert]/returns: CA not initia
lized. Please set up your CA before attempting to generate certs offline.
2021-03-18T23:31:34.536+00:00 - [Notice]: /Stage[main]/Puppet_enterprise::Pxp_agent::Service/Service[pxp-agent]: Dependency Exec[generate node cert] has failures: true
...

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.