Fix command to generate Puppetserver CA certs for load balancer #3398

Lennonka · 2024-10-29T20:12:05Z

What changes are you introducing?

Fixing a command to generate certs on Puppet CA SmartProxy

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

It was reported as incorrect and suggested another command instead.

https://issues.redhat.com/browse/SAT-28859

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

I have verified that the command exists on a Puppet server (Satellite 6.16/Puppet server 8).
I have tried to run the command.
- First, I had to stop Puppet server before it would run.
- Then got a report of different set of files already existing on my instance. So I used this output to update the list of files that is in the docs.
The bug was reported for Satellite 6.15, so I assume that the command is also relevant for Puppet server 7, ie. for all maintained relases.
The suggested command is actually used in the other procedure with default certs.

Checklists

I am okay with my commits getting squashed when you merge this PR.
I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

Foreman 3.12/Katello 4.14 (Satellite 6.16)
Foreman 3.11/Katello 4.13
Foreman 3.10/Katello 4.12
Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8/6.9/6.10)
Foreman 3.8/Katello 4.10
Foreman 3.7/Katello 4.9 (Satellite 6.14)
Foreman 3.6/Katello 4.8
Foreman 3.5/Katello 4.7 (Satellite 6.13; orcharhino 6.6/6.7)
We do not accept PRs for Foreman older than 3.5.

github-actions · 2024-10-29T20:14:45Z

The PR preview for 2323834 is available at theforeman-foreman-documentation-preview-pr-3398.surge.sh

The following output files are affected by this PR:

show diff

show diff as HTML

Lennonka · 2024-10-29T22:39:26Z

@ekohl Hi, Ewoud! Would you be able to confirm technical accuracy on this one with your current knowledge?

ekohl

I had to take a close look at this and many comments are mostly my notes of what I did.

It largely looks OK, though we should use systemctl stop puppetserver and systemctl start puppetserver if we stop/start the service. But I also raised the question if we need to do that in the first place because I don't think it's needed.

The other big thing is that the default certs and custom certs files should almost entirely be the same. For this PR I have no preference whether you do that manually now or properly with snippets and/or macros, though I'd like to see the latter in the long term.

...mart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

...art-proxy-server-with-default-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

...mart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

ekohl · 2024-10-31T18:28:31Z

...mart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

-* `/etc/puppetlabs/puppet/ssl/certs/ca.pem`
 * `/etc/puppetlabs/puppet/ssl/certs/{smartproxy-example-com}.pem`
 * `/etc/puppetlabs/puppet/ssl/private_keys/{smartproxy-example-com}.pem`
 * `/etc/puppetlabs/puppet/ssl/public_keys/{smartproxy-example-com}.pem`
+* `/etc/puppetlabs/puppetserver/ca/signed/{smartproxy-example-com}.pem`


I recall there was a split in this area. You have 2 directories with files now: /etc/puppetlabs/puppet/ssl for the client (puppet-agent) and /etc/puppetlabs/puppetserver/ca/ for the server (puppetserver).

For my own notes, what happens:

# dnf install puppetserver --quiet --yes # puppet config set server $HOSTNAME # find /etc/puppetlabs/ /etc/puppetlabs/ /etc/puppetlabs/code /etc/puppetlabs/code/environments /etc/puppetlabs/code/environments/production /etc/puppetlabs/code/environments/production/data /etc/puppetlabs/code/environments/production/manifests /etc/puppetlabs/code/environments/production/modules /etc/puppetlabs/code/environments/production/environment.conf /etc/puppetlabs/code/environments/production/hiera.yaml /etc/puppetlabs/code/modules /etc/puppetlabs/puppet /etc/puppetlabs/puppet/hiera.yaml /etc/puppetlabs/puppet/puppet.conf /etc/puppetlabs/puppet/ssl /etc/puppetlabs/pxp-agent /etc/puppetlabs/pxp-agent/modules /etc/puppetlabs/puppetserver /etc/puppetlabs/puppetserver/conf.d /etc/puppetlabs/puppetserver/conf.d/auth.conf /etc/puppetlabs/puppetserver/conf.d/ca.conf /etc/puppetlabs/puppetserver/conf.d/global.conf /etc/puppetlabs/puppetserver/conf.d/metrics.conf /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/web-routes.conf /etc/puppetlabs/puppetserver/conf.d/webserver.conf /etc/puppetlabs/puppetserver/services.d /etc/puppetlabs/puppetserver/services.d/ca.cfg /etc/puppetlabs/puppetserver/logback.xml /etc/puppetlabs/puppetserver/request-logging.xml # puppetserver ca setup Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca # find /etc/puppetlabs/ /etc/puppetlabs/ /etc/puppetlabs/code /etc/puppetlabs/code/environments /etc/puppetlabs/code/environments/production /etc/puppetlabs/code/environments/production/data /etc/puppetlabs/code/environments/production/manifests /etc/puppetlabs/code/environments/production/modules /etc/puppetlabs/code/environments/production/environment.conf /etc/puppetlabs/code/environments/production/hiera.yaml /etc/puppetlabs/code/modules /etc/puppetlabs/puppet /etc/puppetlabs/puppet/hiera.yaml /etc/puppetlabs/puppet/puppet.conf /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl/certs /etc/puppetlabs/puppet/ssl/certs/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/private_keys /etc/puppetlabs/puppet/ssl/private_keys/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys /etc/puppetlabs/puppet/ssl/public_keys/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/ca /etc/puppetlabs/pxp-agent /etc/puppetlabs/pxp-agent/modules /etc/puppetlabs/puppetserver /etc/puppetlabs/puppetserver/conf.d /etc/puppetlabs/puppetserver/conf.d/auth.conf /etc/puppetlabs/puppetserver/conf.d/ca.conf /etc/puppetlabs/puppetserver/conf.d/global.conf /etc/puppetlabs/puppetserver/conf.d/metrics.conf /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/web-routes.conf /etc/puppetlabs/puppetserver/conf.d/webserver.conf /etc/puppetlabs/puppetserver/services.d /etc/puppetlabs/puppetserver/services.d/ca.cfg /etc/puppetlabs/puppetserver/logback.xml /etc/puppetlabs/puppetserver/request-logging.xml /etc/puppetlabs/puppetserver/ca /etc/puppetlabs/puppetserver/ca/signed /etc/puppetlabs/puppetserver/ca/signed/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppetserver/ca/ca_crt.pem /etc/puppetlabs/puppetserver/ca/ca_crl.pem /etc/puppetlabs/puppetserver/ca/infra_crl.pem /etc/puppetlabs/puppetserver/ca/ca_pub.pem /etc/puppetlabs/puppetserver/ca/inventory.txt /etc/puppetlabs/puppetserver/ca/infra_inventory.txt /etc/puppetlabs/puppetserver/ca/infra_serials /etc/puppetlabs/puppetserver/ca/serial /etc/puppetlabs/puppetserver/ca/root_key.pem /etc/puppetlabs/puppetserver/ca/ca_key.pem # puppetserver ca generate --ca-client --certname $HOSTNAME --subject-alt-names lb.example.com Successfully saved certificate for 86e3b0fed4cd to /etc/puppetlabs/puppet/ssl/certs/86e3b0fed4cd.pem Successfully saved certificate for 86e3b0fed4cd to /etc/puppetlabs/puppetserver/ca/signed/86e3b0fed4cd.pem Successfully saved private key for 86e3b0fed4cd to /etc/puppetlabs/puppet/ssl/private_keys/86e3b0fed4cd.pem Successfully saved public key for 86e3b0fed4cd to /etc/puppetlabs/puppet/ssl/public_keys/86e3b0fed4cd.pem # find /etc/puppetlabs/ /etc/puppetlabs/ /etc/puppetlabs/code /etc/puppetlabs/code/environments /etc/puppetlabs/code/environments/production /etc/puppetlabs/code/environments/production/data /etc/puppetlabs/code/environments/production/manifests /etc/puppetlabs/code/environments/production/modules /etc/puppetlabs/code/environments/production/environment.conf /etc/puppetlabs/code/environments/production/hiera.yaml /etc/puppetlabs/code/modules /etc/puppetlabs/puppet /etc/puppetlabs/puppet/hiera.yaml /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl/certs /etc/puppetlabs/puppet/ssl/certs/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/86e3b0fed4cd.pem /etc/puppetlabs/puppet/ssl/private_keys /etc/puppetlabs/puppet/ssl/private_keys/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/86e3b0fed4cd.pem /etc/puppetlabs/puppet/ssl/public_keys /etc/puppetlabs/puppet/ssl/public_keys/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/86e3b0fed4cd.pem /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/ca /etc/puppetlabs/puppet/puppet.conf /etc/puppetlabs/pxp-agent /etc/puppetlabs/pxp-agent/modules /etc/puppetlabs/puppetserver /etc/puppetlabs/puppetserver/conf.d /etc/puppetlabs/puppetserver/conf.d/auth.conf /etc/puppetlabs/puppetserver/conf.d/ca.conf /etc/puppetlabs/puppetserver/conf.d/global.conf /etc/puppetlabs/puppetserver/conf.d/metrics.conf /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/web-routes.conf /etc/puppetlabs/puppetserver/conf.d/webserver.conf /etc/puppetlabs/puppetserver/services.d /etc/puppetlabs/puppetserver/services.d/ca.cfg /etc/puppetlabs/puppetserver/logback.xml /etc/puppetlabs/puppetserver/request-logging.xml /etc/puppetlabs/puppetserver/ca /etc/puppetlabs/puppetserver/ca/signed /etc/puppetlabs/puppetserver/ca/signed/86e3b0fed4cd.gijs.example.com.pem /etc/puppetlabs/puppetserver/ca/signed/86e3b0fed4cd.pem /etc/puppetlabs/puppetserver/ca/ca_crt.pem /etc/puppetlabs/puppetserver/ca/ca_crl.pem /etc/puppetlabs/puppetserver/ca/infra_crl.pem /etc/puppetlabs/puppetserver/ca/ca_pub.pem /etc/puppetlabs/puppetserver/ca/inventory.txt /etc/puppetlabs/puppetserver/ca/infra_inventory.txt /etc/puppetlabs/puppetserver/ca/infra_serials /etc/puppetlabs/puppetserver/ca/serial /etc/puppetlabs/puppetserver/ca/root_key.pem /etc/puppetlabs/puppetserver/ca/ca_key.pem

This confirms what you wrote.

Just out of interest, I tried to rerun the command to see what happens:

# puppetserver ca generate --ca-client --certname $HOSTNAME --subject-alt-names lb.example.com Error: Existing file at '/etc/puppetlabs/puppet/ssl/certs/86e3b0fed4cd.pem' Existing file at '/etc/puppetlabs/puppet/ssl/private_keys/86e3b0fed4cd.pem' Existing file at '/etc/puppetlabs/puppet/ssl/public_keys/86e3b0fed4cd.pem' Existing file at '/etc/puppetlabs/puppetserver/ca/signed/86e3b0fed4cd.pem' Please delete these files if you really want to generate a new cert for 86e3b0fed4cd.

This is what a user will see if they run the generate command for the host that is the CA itself, which they may see if the reader missed the except this first system where you configure Puppet certificates signing.

@ekohl So are they supposed to run the command on the Puppet CA SmartProxy? Or on all other SmartProxies that aren't the Puppet CA? Please, clarify.

Oh, I think I get that. The command runs on the Puppet CA SP, but the parameter is not supposed to include the hostname of the Puppet CA SP itself. Right?

...art-proxy-server-with-default-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

Lennonka · 2024-11-04T21:03:24Z

I've tried to incorporate your suggestions, @ekohl

...mart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

...art-proxy-server-with-default-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

Lennonka · 2024-11-13T19:24:53Z

Incorporated Avital's suggestions.

ekohl

@evgeni IIRC you originally wrote this. Mind checking my suggestions on the "on X do Y" part?

ekohl · 2024-11-15T13:45:37Z

...mart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc

+* `/etc/puppetlabs/puppet/ssl/private_keys/_{smartproxy-example-com}_.pem`
+* `/etc/puppetlabs/puppet/ssl/public_keys/_{smartproxy-example-com}_.pem`
+* `/etc/puppetlabs/puppetserver/ca/signed/_{smartproxy-example-com}_.pem`
+. Restart the Puppet server:


Nit: technically I think you're correct, but my mind using restart here and start in the command was inconsistent. I'll leave this up to the technical writers, but wonder if it should be

Suggested change

. Restart the Puppet server:

. Start the Puppet server again:

pr-processor bot added the Not yet reviewed label Oct 29, 2024

Lennonka changed the title ~~Fix command to generate Puppetserver CA cert for load balancer~~ Fix command to generate Puppetserver CA certs for load balancer Oct 30, 2024

ekohl requested changes Oct 31, 2024

View reviewed changes

pr-processor bot added Waiting on contributor Requires an action from the author and removed Not yet reviewed labels Oct 31, 2024

Lennonka marked this pull request as draft November 1, 2024 17:30

pr-processor bot added Needs re-review and removed Waiting on contributor Requires an action from the author labels Nov 4, 2024

Lennonka force-pushed the fix-command-cert-puppet-loadbalancer branch from 5452564 to 47d50b5 Compare November 4, 2024 21:01

Lennonka requested a review from ekohl November 4, 2024 21:02

Lennonka marked this pull request as ready for review November 4, 2024 21:03