You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Difference between revisions of "PKI/Debugging"

From Wikitech-static
< PKI
Jump to navigation Jump to search
imported>Jbond
(Created page with "= Alt DNS names = At the time of writing the <code>pki::multirootca</code> use the puppet agent certificates to provide authentication. As the pki service listens on <code>pk...")
 
imported>Jobo
 
Line 22: Line 22:
</syntaxhighlight>
</syntaxhighlight>
* finally run puppet on the pki servers
* finally run puppet on the pki servers
[[Category:SRE Infrastructure Foundations]]

Latest revision as of 09:11, 14 June 2021

Alt DNS names

At the time of writing the pki::multirootca use the puppet agent certificates to provide authentication. As the pki service listens on pki.discovery.wmnet we make use of the puppet dns_alt_names configuration. This can cause problems if rebuilding the server as this options is not currently supported by the reimage scripts. As such it is recommended to follow the following steps when (re)building

  • first move the host into the spare::system role this allows you to use the reimage scripts to rebuild the host and prevents it getting stuck
  • once up move the host into the pki::multirootca role and run puppet. you should see a change like the following (although puppet will fail)
--- /etc/puppet/puppet.conf.d/10-main.conf      2021-03-25 11:19:13.680926176 +0000
+++ /tmp/puppet-file20210330-30308-1y7a7nd      2021-03-30 11:46:43.552449866 +0000
@@ -14,7 +14,7 @@
 server = puppet
 
 ca_server = puppetmaster1001.eqiad.wmnet
-
+dns_alt_names = pki.discovery.wmnet
 daemonize = false
 http_connect_timeout = 60
 http_read_timeout = 960
  • once this is in-place run the sre.puppet.renew-cert cookbook to regenerate the new cert
$ sudo  cookbook sre.puppet.renew-cert --allow-alt-names  pki1001.eqiad.wmnet
  • finally run puppet on the pki servers