At rate any, yes, that running "yum update puppetserver" followed by "yum downgrade puppetserver-2.4.0-1.el7" without any other precautions may hose the CRL seems like it deserves mention.
On Thu, Aug 18, 2016 at 2:08 PM, Jeremy Barlow <jeremy.bar...@puppet.com> wrote: > > On Thursday, August 18, 2016 at 9:53:37 AM UTC-7, Ben West wrote: >> >> The configuration for running Open Source puppetserver with an external >> CA changed in v2.4 -> v2.5, explained in more detail here: >> https://docs.puppet.com/puppetserver/latest/bootstrap_upgrad >> e_notes.html#cacfg >> >> If you happen to run yum upgrade (presumably similar results with apt-get >> update), the package's upgrade process for v2.4 -> v2.5 will actually >> delete any existing copy of /etc/puppetlabs/puppetserver/bootstrap.cfg. >> Which is reasonable. >> > > If you have made modifications to the bootstrap.cfg file before the > upgrade, I think (at least on systems which use yum) that the upgrade will > additionally store a backup copy of the file to > /etc/puppetlabs/puppetserver/bootstrap.cfg.rpmsave. > > >> >> HOWEVER, if you try to downgrade puppetserver to roll back, e.g. "yum >> downgrade puppetserver-2.4.0-1.el7," the package downgrade process will >> overwrite /etc/puppetlabs/puppet/ssl/crl.pem and break your >> Puppetserver's SSL. Which isn't particularly reasonable. >> >> > I don't think it's the "yum downgrade" itself which does this. The > puppetserver service, when running in a standard (non-external CA) setup > has logic in it which, at startup, will try to copy over the file > configured for the hostcrl > <https://docs.puppet.com/puppet/latest/reference/configuration.html#hostcrl> > setting with the file configured for the cacrl > <https://docs.puppet.com/puppet/latest/reference/configuration.html#cacrl> > setting. It does this to ensure that the CRL file used by puppetserver's > web server reflects the latest updates that have may have been done to the > cacrl file since the last startup. This file synchronization does not > occur in the "external CA" configuration, though, since the cacrl file is > not used in that case. My guess is that after downgrade, the original > bootstrap.cfg file from the puppetserver-2.4.0 package was reinstalled, > re-enabling the standard CA service and, therefore, the CRL file > synchronization logic. > > I think you might have been able to avoid having the CRL file overwritten > if you had copied the file at > /etc/puppetlabs/puppetserver/bootstrap.cfg.rpmsave > back to /etc/puppetlabs/puppetserver/bootstrap.cfg before the downgrade. > In that case, I think the disabled CA service would continue to be used > when the puppetserver-2.4.0 service had been restarted. Does that make > sense? > > > >> Options for fixing are A) restore crl.pem from backup, B) restore crl.pem >> from the CA's ca_crl.pem file (if it is also a puppetserver), or C) to >> regenerate all of your puppet SSL certs. >> >> Possible to add mention this downgrade pitfall in the Puppetserver v2.5.0 >> release notes? >> https://docs.puppet.com/puppetserver/2.5/release_notes.html >> > > Yeah, I think we could add some more detail to the release notes about > this case. I definitely think the best way to manage through these issues > is to ensure that the disabled (external) CA service continues to be used > before upgrade, after upgrade, and (if applicable) after downgrade. The > release notes do try to cover the best way to prepare for keeping the > disabled CA service in place on upgrade - putting the ca.cfg file in place, > as you mentioned. Maybe a little more detail on the same for a downgrade > could be helpful. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/to > pic/puppet-users/2eHcuhJejKA/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/puppet-users/83160dc2-453f-4b76-b8ef-5384687f8a51%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/83160dc2-453f-4b76-b8ef-5384687f8a51%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Ben West m...@benwest.name -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADSh-SMUTTY1_XtFKEUaR59CoRxfc-fNVQqxVirT9Ec%2BdeUFWg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
