Error in the documentation for puppetserver

[gdelhumeau]

The 'Persistance' paragraph was wrong.

The documentation said the CA certificates are stored in /etc/puppetlabs/puppetserver/ca, meanwhile it seems to be /etc/puppetlabs/puppet/ca, as I have discovered later.

I hope it helps,

Guillaume

[CLAassistant]

All committers have signed the CLA.

[Enygma2002]

The SSLDIR=/etc/puppetlabs/puppet/ssl defined in https://github.com/puppetlabs/puppetserver/blob/a7008e7/docker/puppetserver/Dockerfile#L26 clearly does not match the one mentioned in the documentation.

[justinstoller]

Hi, thanks for the contribution! I think we moved the default CA location from /etc/puppetlabs/puppet/ssl/ca in Puppet 6 and earlier to /etc/puppetlabs/puppetserver/ca in Puppet 7. Existing CAs should still be in the same location, though new installs should be in the Puppet 7 location.

Unfortunately, Pupperware still needs to be updated to mount the new CA location in Puppet 7. See this work for that: puppetlabs/pupperware#272 while once that is merged we would automigrate the old CAs to the new location with: #2505

Does that match up with what you've seen?

[Enygma2002]

@justinstoller This PR just fixes the documentation of the currently released docker image for puppet 7.x (the one we tried) that made it work for us.

The current docker image defines a default for the ENV variable SSLDIR to /etc/puppetlabs/puppet/ssl. That var is then used in the docker container entry point to initialize certificates if they don't exist:

puppetserver/docker/puppetserver/docker-entrypoint.d/80-ca.sh

Lines 46 to 70 in a7008e7

	# Generate the same SSL directory that the PE installer creates.
	#
	# The steps in this file correspond to the steps in the PE installer.
	#
	# See https://github.com/puppetlabs/puppet-enterprise-modules/blob/kearney/modules/pe_install/manifests/prepare/certificates.pp
	if [ ! -d "$SSLDIR" ] || [ ! "$(ls -A "$SSLDIR")" ]; then
	# Append user-supplied DNS Alt Names
	if [ -n "$DNS_ALT_NAMES" ]; then
	current="$(puppet config print --section main dns_alt_names)"
	# shell parameter expansion to remove trailing comma if there is one
	updated="${DNS_ALT_NAMES%,}"
	if [ -n "$current" ]; then updated="$current","$updated"; fi
	puppet config set --section main dns_alt_names "$updated"
	fi
	timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
	ca_name="Puppet Enterprise CA generated on ${HOSTNAME} at $timestamp"
	# See puppet.conf file for relevant settings
	puppetserver ca setup \
	--ca-name "$ca_name" \
	--config /etc/puppetlabs/puppet/puppet.conf
	fi
	fi

When trying to use the current docker image, if we go by the documentation and map a volume with existing certificates (from a previous installation) to /etc/puppetlabs/puppetserver/ca, puppet would still try to initialize fresh CA certificates but fail and complain that some already eixst. When we have tried to mount /etc/puppetlabs/puppetserver/ca with an empty content, puppet initialized fresh certificates in it successfully, but after a restart (when the folder now had certificates in it), puppet would again refuse to initialize, complaining the certificates already existed.

So we were unable to use the docker image unless we mounted /etc/puppetlabs/puppet/ssl with our existing certificates.

I'm not really up to date with Puppet's developments or plans for changing locations, we're just currently documenting what we have experienced with the current image. If the plan is to change the default location (i.e. default value of SSLDIR), then sure, but until then, IMO, the documentation of the image should be synchronized with its behavior.

Perhaps, another approach would be to consider that the entry point script that causes the CA generation (linked above) should maybe use a secondary (e.g.) SSLDIRNEW ENV variable that would check the new location (introduced in puppet 6.x and 7.x, as you say) so that both old and new SSL locations are supported and the "certificates already exist" error is avoided at a restart time by not trying to generate new CAs when certificates are already present inside /etc/puppetlabs/puppetserver/ca.

[jonathannewman]

The docker configuration is no longer relevant. Closing.