Update puppet certificate management commands for Puppet 7
Puppet Server 7 has a new CLI for CA management that we need to discover and document, including updating the node decommissionning scripts.
As a test usecase, kelvingrove has an expired certificate.
Activity
assigned to @olasd
It seems to be around the 'puppetserver ca' subcommand [1]
For example, to list all the current certificates [2]
[1]
root@pergamon:~# puppetserver ca Unknown action: Usage: puppetserver ca <action> [options] Manage the Private Key Infrastructure for Puppet Server's built-in Certificate Authority Available Actions: Certificate Actions (requires a running Puppet Server): clean Revoke cert(s) and remove related files from CA generate Generate a new certificate signed by the CA list List certificates and CSRs revoke Revoke certificate(s) sign Sign certificate request(s) Administrative Actions (requires Puppet Server to be stopped): import Import an external CA chain and generate server PKI setup Setup a self-signed CA chain for Puppet Server enable Setup infrastructure CRL based on a node inventory. migrate Migrate the existing CA directory to /etc/puppet/puppetserver/ca prune Prune the local CRL on disk to remove any duplicated certificates General Options: --help Display this general help output --version Display the version --verbose Display low-level information Action Options: clean: --certname NAME[,NAME] One or more comma separated certnames --config CONF Custom path to puppet.conf enable: --config CONF Path to puppet.conf --infracrl Create auxiliary files for the infrastructure-only CRL. generate: --certname NAME[,NAME] One or more comma separated certnames --config CONF Path to puppet.conf --subject-alt-names NAME[,NAME] --ca-client Whether this cert will be used to request CA actions. --force Suppress errors when signing cert offline. --ttl TTL The time-to-live for each cert generated and signed import: --config CONF Path to puppet.conf --private-key KEY Path to PEM encoded key --cert-bundle BUNDLE Path to PEM encoded bundle --crl-chain CHAIN Path to PEM encoded chain --certname NAME Common name to use for the server cert --subject-alt-names NAME[,NAME] list: --config CONF Custom path to Puppet's config file --all List all certificates --format FORMAT Valid formats are: 'text' (default), 'json' --certname NAME[,NAME] List the specified cert(s) migrate: --config CONF Path to puppet.conf prune: --config CONF Path to the puppet.conf file on disk revoke: --certname NAME[,NAME] One or more comma separated certnames --config CONF Custom path to puppet.conf setup: --config CONF Path to puppet.conf --subject-alt-names NAME[,NAME] --ca-name NAME Common name to use for the CA signing cert --certname NAME Common name to use for the server cert sign: --ttl TTL The time-to-live for each cert signed --certname NAME[,NAME] the name(s) of the cert(s) to be signed --config CONF Custom path to Puppet's config file --all Operate on all certnames See `puppetserver ca <action> --help` for detailed info[2]
root@pergamon:~# puppetserver ca list --all | grep kafka3 The cadir is currently configured to be inside the /var/lib/puppet/ssl directory. This config setting and the directory location will not be used in a future version of puppet. Please run the puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppet/puppetserver/ca directory. Use `puppetserver ca migrate --help` for more info. kafka3.internal.staging.swh.network (SHA256) 24:FA:FA:3C:BD:AE:61:F3:34:45:66:B2:D9:34:02:35:EA:E1:01:AB:22:BA:EC:0C:3A:DB:1E:75:A7:6B:A7:1A alt names: ["DNS:kafka3.internal.staging.swh.network"] kafka3.internal.softwareheritage.org (SHA256) 92:11:B3:C7:66:D1:85:87:9F:7C:4A:42:27:79:1E:9A:DD:A8:E2:54:EC:21:D8:E9:8D:31:28:F9:64:25:BE:C5mentioned in commit swh/infra/puppet/puppet-swh-site@8a5dc702
mentioned in merge request swh/infra/puppet/puppet-swh-site!726 (closed)
Sorry, I forgot to close this issue when I updated the script in swh/infra/puppet/puppet-swh-site@710a3fe8
Please register or sign in to reply