Closed Bug 784716 Opened 12 years ago Closed 12 years ago

Document CA management in AWS

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rail, Assigned: rail)

References

Details

(Whiteboard: [puppet][aws])

Attachments

(1 file)

CA scripts
6.15 KB, patch
dustin
: review+
rail
: checked-in+
Details | Diff | Splinter Review 
      No description provided.
Attached patch CA scriptsSplinter Review 
Almost 100% copy of the scripts used for releng puppetagain master.
Attachment #661856 - Flags: review?(dustin)
Comment on attachment 661856 [details] [diff] [review]
CA scripts

Review of attachment 661856 [details] [diff] [review]:
-----------------------------------------------------------------

How are you handling creation of the master host certificates?

This looks good - commit with minor tweaks.  Thanks for documenting this!

::: setup/ca-scripts/README
@@ +1,3 @@
> += Scripts used for puppet certificate generation =
> +
> +== Installation ==

A little explanation of what's going on here might help - you're generating a CA certificate which is then used to manually sign client certificates, right?

@@ +8,5 @@
> + mkdir /var/lib/puppet/ssl-master
> + cd /var/lib/puppet/ssl-master
> + mkdir -p ca/{private,certs} certdir client_certs/revoke
> + touch ca/inventory.txt
> + RANDOM=$$ printf "%X\n" $RANDOM > ca/serial

Why a random serial?  This is usually just '1'.  Is there a benefit to using RANDOM here?

@@ +19,5 @@
> +  chmod 400
> +
> + openssl req  -new -newkey rsa:2048 -keyout ca/ca_key.pem \
> +   -days 3650 -x509 -out ca/ca_crt.pem \
> +   -subj '/C=US/ST=California/L=San Francisco/O=Mozilla Corporation/OU=Releng/CN=ca.build.mozilla.org/emailAddress=release@mozilla.com'

As it turns out, you actually don't want slashes here, because puppet >= 2.7.18 chokes on them.  I think you could get away with just a string here.

@@ +29,5 @@
> +== Usage ==
> +"generate-cert.sh $hostname $output_directory" will generate a certificate for
> +$hostname and put all needed files into $output_directory.
> +
> +== How to generatate force update CRL ==

Doesn't this happen automatically?  I'm not sure what you mean by "generate force update" - that's three verbs in a row :)
Attachment #661856 - Flags: review?(dustin) → review+
Comment on attachment 661856 [details] [diff] [review]
CA scripts

http://hg.mozilla.org/build/puppet/rev/f681ac33b2ea

(In reply to Dustin J. Mitchell [:dustin] from comment #2)
> How are you handling creation of the master host certificates?

They are generated by the same script. No difference between servers and agents.

http://hg.mozilla.org/build/cloud-tools/file/f78ed83ff199/aws/aws_create_instance.py#l68
vs
http://hg.mozilla.org/build/cloud-tools/file/f78ed83ff199/aws/aws_create_puppetmaster.py#l106

 
> A little explanation of what's going on here might help - you're generating
> a CA certificate which is then used to manually sign client certificates,
> right?

Yeah, I renamed the section below to "CA Setup" and added a brief explanation.

> Why a random serial?  This is usually just '1'.  Is there a benefit to using
> RANDOM here?

The main idea was using a hex value instead of decimal (which is default). IIRC, in this case you can generate moar certificates! I dropped RANDOM and replaced it with:

 echo "0x1" > ca/serial
 
> As it turns out, you actually don't want slashes here, because puppet >=
> 2.7.18 chokes on them.  I think you could get away with just a string here.


Oooh... Does this mean that I should edit the existing CA cert and replace slashes with something else (comas?)?

> Doesn't this happen automatically?  I'm not sure what you mean by "generate
> force update" - that's three verbs in a row :)

It happens automatically when you $need_crl is set to true, which is not the case when you generate first certificates (but you need the CRL file to make puppet masters work properly). I added the following check:

if [ ! -e "$crl" ]; then
    need_crl=true
fi
Attachment #661856 - Flags: checked-in+
I'm not sure what the restrictions on subject name are - I need to figure that out before submitting an updated patch upstream.  Changing your existing CA would make all of the existing certs invalid, so that's probably no fun.
OK, I'll keep that in mind.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
BTW, it turns out OpenSSL requires the slashes.  Puppet won't allow them, though.  Fun.
(In reply to Dustin J. Mitchell [:dustin] from comment #6)
> BTW, it turns out OpenSSL requires the slashes.  Puppet won't allow them,
> though.  Fun.

Sooooo great! :)
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: