You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

PKI/Debugging

From Wikitech-static
< PKI
Revision as of 09:11, 14 June 2021 by imported>Jobo
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Alt DNS names

At the time of writing the pki::multirootca use the puppet agent certificates to provide authentication. As the pki service listens on pki.discovery.wmnet we make use of the puppet dns_alt_names configuration. This can cause problems if rebuilding the server as this options is not currently supported by the reimage scripts. As such it is recommended to follow the following steps when (re)building

  • first move the host into the spare::system role this allows you to use the reimage scripts to rebuild the host and prevents it getting stuck
  • once up move the host into the pki::multirootca role and run puppet. you should see a change like the following (although puppet will fail)
--- /etc/puppet/puppet.conf.d/10-main.conf      2021-03-25 11:19:13.680926176 +0000
+++ /tmp/puppet-file20210330-30308-1y7a7nd      2021-03-30 11:46:43.552449866 +0000
@@ -14,7 +14,7 @@
 server = puppet
 
 ca_server = puppetmaster1001.eqiad.wmnet
-
+dns_alt_names = pki.discovery.wmnet
 daemonize = false
 http_connect_timeout = 60
 http_read_timeout = 960
  • once this is in-place run the sre.puppet.renew-cert cookbook to regenerate the new cert
$ sudo  cookbook sre.puppet.renew-cert --allow-alt-names  pki1001.eqiad.wmnet
  • finally run puppet on the pki servers