Closed
Bug 784716
Opened 12 years ago
Closed 12 years ago
Document CA management in AWS
Categories
(Release Engineering :: General, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rail, Assigned: rail)
References
Details
(Whiteboard: [puppet][aws])
Attachments
(1 file)
6.15 KB,
patch
|
dustin
:
review+
rail
:
checked-in+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Comment 1•12 years ago
|
||
Almost 100% copy of the scripts used for releng puppetagain master.
Attachment #661856 -
Flags: review?(dustin)
Comment 2•12 years ago
|
||
Comment on attachment 661856 [details] [diff] [review] CA scripts Review of attachment 661856 [details] [diff] [review]: ----------------------------------------------------------------- How are you handling creation of the master host certificates? This looks good - commit with minor tweaks. Thanks for documenting this! ::: setup/ca-scripts/README @@ +1,3 @@ > += Scripts used for puppet certificate generation = > + > +== Installation == A little explanation of what's going on here might help - you're generating a CA certificate which is then used to manually sign client certificates, right? @@ +8,5 @@ > + mkdir /var/lib/puppet/ssl-master > + cd /var/lib/puppet/ssl-master > + mkdir -p ca/{private,certs} certdir client_certs/revoke > + touch ca/inventory.txt > + RANDOM=$$ printf "%X\n" $RANDOM > ca/serial Why a random serial? This is usually just '1'. Is there a benefit to using RANDOM here? @@ +19,5 @@ > + chmod 400 > + > + openssl req -new -newkey rsa:2048 -keyout ca/ca_key.pem \ > + -days 3650 -x509 -out ca/ca_crt.pem \ > + -subj '/C=US/ST=California/L=San Francisco/O=Mozilla Corporation/OU=Releng/CN=ca.build.mozilla.org/emailAddress=release@mozilla.com' As it turns out, you actually don't want slashes here, because puppet >= 2.7.18 chokes on them. I think you could get away with just a string here. @@ +29,5 @@ > +== Usage == > +"generate-cert.sh $hostname $output_directory" will generate a certificate for > +$hostname and put all needed files into $output_directory. > + > +== How to generatate force update CRL == Doesn't this happen automatically? I'm not sure what you mean by "generate force update" - that's three verbs in a row :)
Attachment #661856 -
Flags: review?(dustin) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Comment on attachment 661856 [details] [diff] [review] CA scripts http://hg.mozilla.org/build/puppet/rev/f681ac33b2ea (In reply to Dustin J. Mitchell [:dustin] from comment #2) > How are you handling creation of the master host certificates? They are generated by the same script. No difference between servers and agents. http://hg.mozilla.org/build/cloud-tools/file/f78ed83ff199/aws/aws_create_instance.py#l68 vs http://hg.mozilla.org/build/cloud-tools/file/f78ed83ff199/aws/aws_create_puppetmaster.py#l106 > A little explanation of what's going on here might help - you're generating > a CA certificate which is then used to manually sign client certificates, > right? Yeah, I renamed the section below to "CA Setup" and added a brief explanation. > Why a random serial? This is usually just '1'. Is there a benefit to using > RANDOM here? The main idea was using a hex value instead of decimal (which is default). IIRC, in this case you can generate moar certificates! I dropped RANDOM and replaced it with: echo "0x1" > ca/serial > As it turns out, you actually don't want slashes here, because puppet >= > 2.7.18 chokes on them. I think you could get away with just a string here. Oooh... Does this mean that I should edit the existing CA cert and replace slashes with something else (comas?)? > Doesn't this happen automatically? I'm not sure what you mean by "generate > force update" - that's three verbs in a row :) It happens automatically when you $need_crl is set to true, which is not the case when you generate first certificates (but you need the CRL file to make puppet masters work properly). I added the following check: if [ ! -e "$crl" ]; then need_crl=true fi
Attachment #661856 -
Flags: checked-in+
Comment 4•12 years ago
|
||
I'm not sure what the restrictions on subject name are - I need to figure that out before submitting an updated patch upstream. Changing your existing CA would make all of the existing certs invalid, so that's probably no fun.
Assignee | ||
Comment 5•12 years ago
|
||
OK, I'll keep that in mind.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 6•11 years ago
|
||
BTW, it turns out OpenSSL requires the slashes. Puppet won't allow them, though. Fun.
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #6) > BTW, it turns out OpenSSL requires the slashes. Puppet won't allow them, > though. Fun. Sooooo great! :)
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•