Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with puppet CA and elasticsearch.keystore #1225

Open
sandwitch opened this issue May 30, 2024 · 0 comments
Open

Problem with puppet CA and elasticsearch.keystore #1225

sandwitch opened this issue May 30, 2024 · 0 comments

Comments

@sandwitch
Copy link

sandwitch commented May 30, 2024
edited
Loading

Hi

In all our greatness, we decided to use our puppet CA infrastucture for elasticsearch, which is working rather good. However the part where java_ks is called for adding the CA to the keystore for elasticsearch, keeps being executed. We ran an evaltrace and found that the following code is being executed:

/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Starting to evaluate the resource (968 of 1840)
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -delete -alias elasticsearch_ca -keystore /etc/elasticsearch/elasticsearch.ks'
Executing: 'keytool -importcert -noprompt -alias elasticsearch_ca -file /etc/elasticsearch/certs/ca.pem -keystore /etc/elasticsearch/elasticsearch.ks -trustcacerts'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]/ensure: ensure changed 'present' to 'latest' (corrective)
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: The container Class[Elasticsearch::Config] will propagate my refresh event

Expected was:

/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Starting to evaluate the resource (949 of 1839)
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Evaluated in 1.47 seconds

We don't know what the exact check is between these outcomes, but we suspected that there was a field with the sha256sum.
Since the 'new' puppet CA environment uses a root and intermediate certificate we suspected this field get overwritten.
So we added the intermediate by hand to the keystore and removed it from the copy of the original puppet CA.

The effect is that the resource Java_ks[elasticsearch_ca] stays the same.

We where wondering if we are on track here or if one of you has a better suggestion to deal with this issue

Code we used:

include elasticsearch
include java
  file { '/etc/elasticsearch/certs':
    ensure => directory,
    owner  => 'root',
    group  => 'elasticsearch',
    mode   => '0750',
  }

  file { "/etc/elasticsearch/certs/${facts['networking']['fqdn']}.crt":
    ensure  => file,
    source  => "/etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem",
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }

  file { "/etc/elasticsearch/certs/${facts['networking']['fqdn']}.key":
    ensure  => file,
    source  => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }

  file { "/etc/elasticsearch/certs/ca.pem":
    ensure  => file,
    source  => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sandwitch