You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Puppet-ecdsacert: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>BryanDavis
No edit summary
imported>Alex Monk
(add section on labs project puppetmaster pitfall)
Line 18: Line 18:


Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository with <tt>.crt</tt> extension.
Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository with <tt>.crt</tt> extension.
=== Use in labs with non-central puppetmasters ===
If you're using a different puppetmaster in labs, you probably want to do something like this:<syntaxhighlight lang="bash">
echo 'puppetca: deployment-puppetmaster03.deployment-prep.eqiad.wmflabs' > /tmp/ecdsacertconfig
puppet-ecdsacert -a "deployment-etcd-01.deployment-prep.eqiad.wmflabs,deployment-etcd-01,etcd.deployment-prep.eqiad.wmflabs" etcd.deployment-prep.eqiad.wmflabs -c /tmp/ecdsacertconfig
</syntaxhighlight>This is because otherwise, puppetca will default to 'puppet', which in labs resolves to the central puppetmaster. This will cause the CSR to be sent to the central puppetmaster but the puppet cert sign call at the bottom of puppet-ecdsacert to fail
== See also ==
* [[Special:Prefixindex/HTTPS]]


[[Category:Puppet]]
[[Category:Puppet]]

Revision as of 15:43, 27 May 2018

It is now possible to generate general-purpose ECDSA certificates using our internal puppet CA and then use those for serving HTTPS traffic internally.

All of the following assumes you're operating on our pupppet active CA server.

Usage is pretty simple:

puppet-ecdsacert -a SAN1,SAN2,SAN3 CERTNAME

will take care of generating the cert, creating the CSR, submitting it to the puppet CA and signing it.

You can control the output directories with a config file, but by default the private key will be at:

/var/lib/puppet/ssl/private_keys/CERTNAME.pem

and the public signed cert will be at

/var/lib/puppet/server/ssl/ca/signed/CERTNAME.pem

Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository with .crt extension.

Use in labs with non-central puppetmasters

If you're using a different puppetmaster in labs, you probably want to do something like this:

echo 'puppetca: deployment-puppetmaster03.deployment-prep.eqiad.wmflabs' > /tmp/ecdsacertconfig
puppet-ecdsacert -a "deployment-etcd-01.deployment-prep.eqiad.wmflabs,deployment-etcd-01,etcd.deployment-prep.eqiad.wmflabs" etcd.deployment-prep.eqiad.wmflabs -c /tmp/ecdsacertconfig

This is because otherwise, puppetca will default to 'puppet', which in labs resolves to the central puppetmaster. This will cause the CSR to be sent to the central puppetmaster but the puppet cert sign call at the bottom of puppet-ecdsacert to fail

See also