Page MenuHomeSoftware Heritage

D6802.id24662.diff
No OneTemporary

D6802.id24662.diff

diff --git a/sysadm/puppet/howto-renew-agent-certificate.rst b/sysadm/puppet/howto-renew-agent-certificate.rst
new file mode 100644
--- /dev/null
+++ b/sysadm/puppet/howto-renew-agent-certificate.rst
@@ -0,0 +1,77 @@
+.. _puppet_howto_renew_agent_certificate:
+
+How to renew an agent certificate
+=================================
+
+.. admonition:: Intended audience
+ :class: important
+
+ sysadm members
+
+
+Check the certificate expiration dates
+--------------------------------------
+
+On the puppet master (pergamon):
+
+::
+
+ root@pergamon:~# cd /var/lib/puppet/ssl/ca/signed
+ root@pergamon:/var/lib/puppet/ssl/ca/signed# openssl x509 -text -in worker01.softwareheritage.org.pem | grep -i 'not after'
+ Not After : Oct 29 18:37:49 2022 GMT
+
+Check the certificate statuses
+------------------------------
+
+On the puppet master (pergamon):
+
+::
+
+ root@pergamon:~# puppet cert --list --all
+ Warning: `puppet cert` is deprecated and will be removed in a future release.
+ (location: /usr/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
+ ...
+ + "worker3.internal.staging.swh.network" (SHA256) A5:0C:46:21:C9:C6:B2:...:10:D3:C4:24:90:55:1D:56
+ - "beaubourg.softwareheritage.org" (SHA256) 24:50:2E:7F:8B:B0:C7:...:D9:AB:5A:45:46:4D:17:51 (certificate has expired)
+ ...
+
+worker3 certificate is ok, beaubourg certificate is expired
+
+Renew an agent certificate
+--------------------------
+
+On the puppet master (pergamon):
+
+- Revoke and delete the old certificate
+
+::
+
+ root@pergamon:~# puppet cert clean beaubourg.softwareheritage.org
+ Warning: `puppet cert` is deprecated and will be removed in a future release.
+ (location: /usr/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
+ Notice: Revoked certificate with serial 49
+ Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/ca/signed/beaubourg.softwareheritage.org.pem'
+ Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/certs/beaubourg.softwareheritage.org.pem'
+
+On the agent (beaubourg for this example), delete the old certificate and generate a new one:
+
+::
+
+ root@beaubourg:~# rm -r /var/lib/puppet/ssl
+ root@beaubourg:/var/lib/puppet# puppet agent --test
+ Info: Creating a new SSL key for beaubourg.softwareheritage.org
+ Info: Caching certificate for ca
+ Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
+ Info: Creating a new SSL certificate request for beaubourg.softwareheritage.org
+ Info: Certificate Request fingerprint (SHA256): F5:C9:99:0B:...:62:E9:4F:1B
+ Info: Caching certificate for beaubourg.softwareheritage.org
+ Info: Caching certificate_revocation_list for ca
+ Info: Caching certificate for ca
+ Info: Using configured environment 'production'
+ Info: Retrieving pluginfacts
+ Info: Retrieving plugin
+ Info: Retrieving locales
+ Info: Loading facts
+ Info: Caching catalog for beaubourg.softwareheritage.org
+ Info: Applying configuration version '1638980028'
+ ...
diff --git a/sysadm/puppet/index.rst b/sysadm/puppet/index.rst
--- a/sysadm/puppet/index.rst
+++ b/sysadm/puppet/index.rst
@@ -9,5 +9,6 @@
howto-manage-third-party-modules
howto-test-changes-in-vagrant
howto-deploy-puppet-change
+ howto-renew-agent-certificate
reference-architecture
reference-best-practices

File Metadata

Mime Type
text/plain
Expires
Thu, Jul 3, 3:18 PM (6 d, 3 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3225696

Event Timeline