Puppet users - Jun 2011 - puppet CA expired

hi,

  my puppet CA expired. Anyone knows how to solve the problem and extend
the validity of the CA ? I mean without recreating one and going on each
node to change the certs (that is what puppet is made to prevent, going
to each node ^^)


regards,
Jean.



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, 14 Jun 2011 17:01:20 +0200, jean@squirk.org
wrote:
> 
> hi,
> 
>   my puppet CA expired. Anyone knows how to solve the problem and extend
> the validity of the CA ? I mean without recreating one and going on each
> node to change the certs (that is what puppet is made to prevent, going
> to each node ^^)
> 
> 
> regards,
> Jean.
> 
Pretty sure you can''t actually extend the validity of the CA cert.

Unfortunately, I don''t think there''s much that can be done at
this point
without touching each node.

I did open up #7962[1] so we can work out exactly what the safety net
should look like to help prevent this from happening to other people.

[1] http://projects.puppetlabs.com/issues/7962

-- 
Jacob Helwig

What''s the length of time on the CA cert?

--
Nathan Clemons
http://www.livemocha.com
The worlds largest online language learning community



On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig <jacob@puppetlabs.com>
wrote:
> On Tue, 14 Jun 2011 17:01:20 +0200, jean@squirk.org wrote:
> >
> > hi,
> >
> >   my puppet CA expired. Anyone knows how to solve the problem and
extend
> > the validity of the CA ? I mean without recreating one and going on
each
> > node to change the certs (that is what puppet is made to prevent,
going
> > to each node ^^)
> >
> >
> > regards,
> > Jean.
> >
>
> Pretty sure you can''t actually extend the validity of the CA cert.
>
> Unfortunately, I don''t think there''s much that can be
done at this point
> without touching each node.
>
> I did open up #7962[1] so we can work out exactly what the safety net
> should look like to help prevent this from happening to other people.
>
> [1] http://projects.puppetlabs.com/issues/7962
>
> --
> Jacob Helwig
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQGcBAEBAgAGBQJN+kAOAAoJEHJabXWGiqEBAQ8L/RVhorA/f49gilPW26X82BID
> aGYWFajNg5oBI1OtrieA9J//qNe9HRUUy8xWhq+S+B69FoQ4hU6ocfTH1eXDB8BN
> NM1rwuuqLpTvn1Gguxs3qTMPNyUEqMwugesH1XE7MOUH7XE10SgWqZwBpVpiJBPe
> cMctwUbgN6CfLD1F+wWKfuv9n1L4NvS5AcXj2WjgHbAjAAZx50m3gGIni5U6gF4+
> GTRRxABtAEv0atsvUUO8kxecBhR1N+ZCbQAhk5PcJnKD5CW+7vqxxoC+K0D7BZNZ
> bRKk69IyG/ZFZnMbnzPNdYY2Ol9HE4ClnyydUq7r4uNdG5DbLg5sCPSgZXgAJRzt
> l5N3k4uNSWmnRco5zFmRAxV7YfzSu6o8ZueC07yiu8EeGDpEVWPg29esqUSm7Uqw
> 47s2uENGJ2mRr/NfN96YsMjPm2+leKUa37/YcQTdfswdQdkCNGyt/kt5fmncSnYX
> n2DwQ1CmHNQp1gf3wUzSqsIJmlEBKfgSQnTbIyAHBQ=> =oopZ
> -----END PGP SIGNATURE-----
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

5 years, IIRC.

-- 
Jacob Helwig

On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons
wrote:
> 
> What''s the length of time on the CA cert?
> 
> On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig <jacob@puppetlabs.com>
wrote:
> 
> > On Tue, 14 Jun 2011 17:01:20 +0200, jean@squirk.org wrote:
> > >
> > > hi,
> > >
> > >   my puppet CA expired. Anyone knows how to solve the problem and
extend
> > > the validity of the CA ? I mean without recreating one and going
on each
> > > node to change the certs (that is what puppet is made to prevent,
going
> > > to each node ^^)
> > >
> >
> > Pretty sure you can''t actually extend the validity of the CA
cert.
> >
> > Unfortunately, I don''t think there''s much that can
be done at this point
> > without touching each node.
> >
> > I did open up #7962[1] so we can work out exactly what the safety net
> > should look like to help prevent this from happening to other people.
> >
> > [1] http://projects.puppetlabs.com/issues/7962
> >

Thanks. I think having to go out across the board once every 5 years is
quite acceptable, although advance warning from the master that it''s
going
to happen would definitely be a good thing.

Jean: Kudos to running Puppet for 5 years! :)

--
Nathan Clemons
http://www.livemocha.com
The worlds largest online language learning community



On Thu, Jun 16, 2011 at 11:09 AM, Jacob Helwig <jacob@puppetlabs.com>
wrote:
> 5 years, IIRC.
>
> --
> Jacob Helwig
>
> On Thu, 16 Jun 2011 11:03:49 -0700, Nathan Clemons wrote:
> >
> > What''s the length of time on the CA cert?
> >
> > On Thu, Jun 16, 2011 at 10:40 AM, Jacob Helwig
<jacob@puppetlabs.com>
> wrote:
> >
> > > On Tue, 14 Jun 2011 17:01:20 +0200, jean@squirk.org wrote:
> > > >
> > > > hi,
> > > >
> > > >   my puppet CA expired. Anyone knows how to solve the
problem and
> extend
> > > > the validity of the CA ? I mean without recreating one and
going on
> each
> > > > node to change the certs (that is what puppet is made to
prevent,
> going
> > > > to each node ^^)
> > > >
> > >
> > > Pretty sure you can''t actually extend the validity of
the CA cert.
> > >
> > > Unfortunately, I don''t think there''s much that
can be done at this
> point
> > > without touching each node.
> > >
> > > I did open up #7962[1] so we can work out exactly what the safety
net
> > > should look like to help prevent this from happening to other
people.
> > >
> > > [1] http://projects.puppetlabs.com/issues/7962
> > >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQGcBAEBAgAGBQJN+kbcAAoJEHJabXWGiqEBIgAL/0RX6X/eUll4EZCCZWWaEdby
> +fL9LQvyEPV/IiKeafpbn3Kct3FKIFEgMWOH7xubgp0x36u7jMCmDh4MXiFGOEPL
> BzNyLxPhkTQPG6Ml44INaiQ6wshdIlqFe3HfjtxlQZP/CSVBbPMBIcVwpgaAA6n8
> sJidtfSYPfltbaRB2XMKpIg+ltMG4SEJvCndPBumPZjbrOKsOd4HHcL4MGdp7ump
> ryPj2E9+PXFZ/TZ+oNPSn30v0fX1om/UCHqUelkr6/SJls9P68VWsM7hVIB5Jc4P
> 3MwhBWHOzKV+8C7KZsQcUW3qywRCIF3Rb/APM8Ikol7A/fMYQJYvD5QgeVBygoPx
> jwoPoIZAVaxuCXMyOvvaPegsoc0qAk09RlYQXX8EhzwM7NyiatTVojQCZTfecEnO
> diDRs5U/rpjZ2gxrMIGkJMImRKGIDl9e7D+ez1IwY0XyR6b2vYbroeKP8PTG/L/C
> PU6U6MQnzLQ6Eovl+JOifRVZA3+U1nCxNK3ErAopvw=> =mnf2
> -----END PGP SIGNATURE-----
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Jun 16, 2011 at 11:12 AM, Nathan Clemons
<nathan@livemocha.com>wrote:
> Thanks. I think having to go out across the board once every 5 years is
> quite acceptable, although advance warning from the master that
it''s going
> to happen would definitely be a good thing.
>
> Jean: Kudos to running Puppet for 5 years! :)
>
>
As an FYI, 5years is the default.  When you initially create a CA, you may
use the ca_ttl setting to extend this longer.

[master]
ca_ttl = 20y

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> [master]
> ca_ttl = 20y
Neat trick. By the time it expires you''ll be gone! :P

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Le 16/06/2011 20:12, Nathan Clemons a écrit :
> Thanks. I think having to go out across the board once every 5 years
> is quite acceptable, although advance warning from the master that
> it''s going to happen would definitely be a good thing.
>
> Jean: Kudos to running Puppet for 5 years! :)
>
yes i was planning to install cfengine when the first puppet appeard, i
really liked the way of thinking of the creator that seemed to me a very
good approach of the issue so i jumped in.

as i needed to make change to all the nodes i simply recreated a 20year
CA and got to everynode removing the ssl certs and sign again all nodes
on the master. If someone knows how to spot a client coming to puppet
and failing the ssl handcheck it would help a lot to spot the one i
missed out if any ! :)


regards,
Jean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

If you keep your nodes in a nodes.pp file, and you are logging nodes as they
check in, you can run a little script that I run from time to time to find
nodes that have stopped communicating:

#!/bin/bash

tail -20000 /var/log/messages | grep "Compiled catalog for " | tr -s
" " |
cut -f 9 -d " " | cut -f 1 -d "." | sort | uniq >
/tmp/nodes_checked_in
cat /etc/puppet/manifests/nodes.pp | cut -f 2 -d "''" | cut -f
1 -d "." |
sort | uniq > /tmp/nodes_expected

echo "< nodes checked in, but not expected  ...  > nodes expected,
but not
checked in."
diff /tmp/nodes_checked_in /tmp/nodes_expected | grep "[<>]" |
sort

~Charles~

On Mon, Jun 27, 2011 at 8:52 AM, jean@squirk.org <jean@squirk.org> wrote:
> Le 16/06/2011 20:12, Nathan Clemons a écrit :
> > Thanks. I think having to go out across the board once every 5 years
> > is quite acceptable, although advance warning from the master that
> > it''s going to happen would definitely be a good thing.
> >
> > Jean: Kudos to running Puppet for 5 years! :)
> >
>
> yes i was planning to install cfengine when the first puppet appeard, i
> really liked the way of thinking of the creator that seemed to me a very
> good approach of the issue so i jumped in.
>
> as i needed to make change to all the nodes i simply recreated a 20year
> CA and got to everynode removing the ssl certs and sign again all nodes
> on the master. If someone knows how to spot a client coming to puppet
> and failing the ssl handcheck it would help a lot to spot the one i
> missed out if any ! :)
>
>
> regards,
> Jean.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Jun 27, 2011 at 4:52 PM, jean@squirk.org <jean@squirk.org>
wrote:
> Le 16/06/2011 20:12, Nathan Clemons a écrit :
>> Thanks. I think having to go out across the board once every 5 years
>> is quite acceptable, although advance warning from the master that
>> it''s going to happen would definitely be a good thing.
>>
>> Jean: Kudos to running Puppet for 5 years! :)
>>
>
> yes i was planning to install cfengine when the first puppet appeard, i
> really liked the way of thinking of the creator that seemed to me a very
> good approach of the issue so i jumped in.
>
> as i needed to make change to all the nodes i simply recreated a 20year
> CA and got to everynode removing the ssl certs and sign again all nodes
> on the master. If someone knows how to spot a client coming to puppet
> and failing the ssl handcheck it would help a lot to spot the one i
> missed out if any ! :)
>
one simple way is simply to look at foreman puppet certificate list.
you can also query it via the api, and evaluate the certificate expire date.

Ohad
>
> regards,
> Jean.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.