Skip to content

Add a renew_cert subcommand to puppet ssl#363

Merged
bastelfreak merged 1 commit intomainfrom
puppet_ssl_renew
Mar 19, 2026
Merged

Add a renew_cert subcommand to puppet ssl#363
bastelfreak merged 1 commit intomainfrom
puppet_ssl_renew

Conversation

@jay7x
Copy link
Contributor

@jay7x jay7x commented Mar 8, 2026
edited
Loading

TODO:

  • Add unit test
  • Test it in reality

@jay7x jay7x marked this pull request as draft March 8, 2026 11:40
@jay7x jay7x force-pushed the puppet_ssl_renew branch from 366cc38 to 6cad913 Compare March 8, 2026 12:35
ekohl
ekohl reviewed Mar 8, 2026
View reviewed changes
Copy link
Contributor

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea. Thoughts:

  • Should it be just puppet ssl renew?
  • Should it look at the expiration date and only renew if it's at X% towards its expiration?
  • If the above is implemented, should it have a --force option to force a renewal?

@jay7x
Copy link
Contributor Author

jay7x commented Mar 8, 2026
edited
Loading

  • Should it be just puppet ssl renew?

That was my original idea.. But then I decided to follow what we already have (download_cert e.g.). I'm fine to rename back.

  • Should it look at the expiration date and only renew if it's at X% towards its expiration?

Ideally, yes.

  • If the above is implemented, should it have a --force option to force a renewal?

There should be one more option then. It should be possible to say "please renew the certificate if it'll expire in this amount of days". Not sure how to call that.. --if-expiring-in-days? --expiry-days?

I'm not sure if having a "please renew the certificate if it's about X% expired" option is really useful. Usually people think in days.. This option exists in vaultbot IIRC, but I never used it. Any opinions?

@jay7x jay7x marked this pull request as ready for review March 10, 2026 15:37
@jay7x jay7x force-pushed the puppet_ssl_renew branch from e467b09 to 2654372 Compare March 17, 2026 09:38
@jay7x jay7x changed the title Add a renew subcommand to puppet ssl Add a renew_cert subcommand to puppet ssl Mar 17, 2026
@jay7x
Copy link
Contributor Author

jay7x commented Mar 17, 2026

Tested it against my puppetserver:

# puppet ssl submit_request --certname puppet2.example.com  --hostcert_renewal_interval 60d --waitforcert 0
Notice: Submitted certificate request for 'puppet2.example.com' to https://puppetca.tld:8140/puppet-ca/v1
Notice: Downloaded certificate 'puppet2.example.com' with fingerprint (SHA256) 67:A4:95:E9:2B:24:71:58:28:B5:D8:07:21:4C:2B:6B:2E:EA:11:52:22:CF:AE:9A:05:A5:2C:88:38:28:41:12
# puppet ssl renew_cert --certname puppet2.example.com
Notice: Downloaded certificate 'puppet2.example.com' with fingerprint (SHA256) 27:2A:89:FC:67:40:56:1A:C5:2B:5E:90:6C:37:68:D8:01:DE:DF:F8:FD:97:C4:66:A5:E2:EA:BF:41:42:19:97
# puppet ssl renew_cert --certname puppet2.example.com --if-expiring-in 30d
# puppet ssl renew_cert --certname puppet2.example.com --if-expiring-in 90d
Notice: Downloaded certificate 'puppet2.example.com' with fingerprint (SHA256) 1B:7D:21:62:41:67:8E:8C:37:F0:EC:EF:D0:0A:3C:E1:B3:A7:A5:6D:7C:16:90:EC:39:89:12:60:3D:39:7B:34

@bastelfreak bastelfreak added the enhancement New feature or request label Mar 19, 2026
@bastelfreak bastelfreak merged commit 2665666 into main Mar 19, 2026
15 checks passed
@bastelfreak bastelfreak deleted the puppet_ssl_renew branch March 19, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ekohl ekohl ekohl left review comments

@binford2k binford2k binford2k approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jay7x @ekohl @binford2k @bastelfreak