Merge pull request OpenVoxProject#222 from miharp/fix/replace-puppet-cert-with-puppet-ssl

Replace deprecated puppet cert with puppetserver ca and puppet ssl

Author: miharp

docs/_openvox_8x/config_file_oid_map.md

@@ -5,7 +5,6 @@ title: "Config files: custom_trusted_oid_mapping.yaml"
 
 [extensions]: ./ssl_attributes_extensions.html
 [mapping_setting]: ./configuration.html#trustedoidmappingfile
-[pup-4617]: https://tickets.puppetlabs.com/browse/PUP-4617
 [csr_attributes]: ./config_file_csr_attributes.html
 [trusted]: ./lang_facts_and_builtin_vars.html#trusted-facts
 [registered]: ./ssl_attributes_extensions.html#puppet-specific-registered-ids
@@ -33,7 +32,6 @@ For more info, see:
 Mapping OIDs in this file _only_ affects the keys in the `$trusted[extensions]` hash. It does not affect:
 
 * What an agent can request in its `csr_attributes.yaml` file --- anything but Puppet-specific registered extensions must still be numerical OIDs.
-* What you see when you run `puppet cert print` --- mapped extensions will still be displayed as numerical OIDs. (Improving cert display is planned as [PUP-4617][].)
 
 ## Location
 

docs/_openvox_8x/config_important_settings.markdown

@@ -148,8 +148,8 @@ These settings should usually go in `[master]`. However, if you're using Puppet
 
 * [`dns_alt_names`][dns_alt_names] --- A list of hostnames the server is allowed to use when acting as a Puppet master. The hostname your agents use in their `server` setting **must** be included in either this setting or the master's `certname` setting. Note that this setting is only used when initially generating the Puppet master's certificate --- if you need to change the DNS names, you must:
     1. Turn off the Puppet server service (or your Rack server).
-    2. Run `sudo puppet cert clean <MASTER'S CERTNAME>`.
-    3. Run `sudo puppet cert generate <MASTER'S CERTNAME> --dns_alt_names <ALT NAME 1>,<ALT NAME 2>,...`.
+    2. Run `sudo puppetserver ca clean --certname <SERVER'S CERTNAME>`.
+    3. Run `sudo puppetserver ca generate --certname <SERVER'S CERTNAME> --subject-alt-names <ALT NAME 1>,<ALT NAME 2>,...`.
     4. Re-start the Puppet server service.
 * [`environment_timeout`][environment_timeout] --- For better performance, you can set this to `unlimited` and make refreshing the Puppet master a part of your standard code deployment process. See [the timeout section of the Configuring Environments page][configuring_timeout] for more details.
 * [`environmentpath`][environmentpath] --- Controls where Puppet finds directory environments. See [the page on directory environments][environments] for details.

docs/_openvox_8x/config_print.markdown

@@ -51,7 +51,7 @@ This will show `name = value` pairs for all settings.
 The `--section` option specifies which [section of puppet.conf][config_sections] to use when finding settings. It is optional, and defaults to `main`. Valid sections are:
 
 * `main` **(default)** --- used by all commands and services
-* `master` --- used by the Puppet master service and the `puppet cert` command
+* `master` --- used by the Puppet master service
 * `agent` --- used by the Puppet agent service
 * `user` --- used by the Puppet apply command and most other commands
 
@@ -66,10 +66,10 @@ Note that you can only specify environments that already exist.
 This option is generally only useful when looking up settings used by the Puppet master service, since it's rare to use environment config sections for Puppet apply and Puppet agent.
 
 
-Imitating Puppet Master and Puppet Cert
+Imitating Puppet Master
 -----
 
-To see the settings the Puppet master service and the Puppet cert command would use:
+To see the settings the Puppet master service would use:
 
 * Specify `--section master`.
 * Use the `--environment` option to specify the environment you want settings for, or let it default to `production`.

docs/_openvox_8x/config_set.markdown

@@ -34,7 +34,7 @@ This will declaratively set the value of `<SETTING NAME>` to `<VALUE>` (in the s
 The `--section` option specifies which [section of puppet.conf][config_sections] to modify. It is optional, and defaults to `main`. Valid sections are:
 
 * `main` **(default)** --- used by all commands and services
-* `master` --- used by the Puppet master service and the `puppet cert` command
+* `master` --- used by the Puppet master service
 * `agent` --- used by the Puppet agent service
 * `user` --- used by the Puppet apply command and most other commands
 

docs/_openvox_8x/dirs_confdir.markdown

@@ -18,16 +18,23 @@ Puppet's confdir can be found at one of the following locations:
 
 When Puppet is running as either root, a Windows user with administrator privileges, or the `puppet` user, it will use a system-wide confdir. When running as a non-root user, it will use a confdir in that user's home directory.
 
-The system confdir is what you usually want to use, since you will usually run Puppet's commands and services as root or `puppet`. (Note that admin commands like `puppet cert` must be run with `sudo` to use the same confdir as Puppet agent or Puppet master.)
+The system confdir is what you usually want to use, since you will usually run Puppet's commands and
+services as root or `puppet`. (Note that admin commands like `puppetserver ca` must be run with `sudo`
+to use the same confdir as Puppet agent or Puppet master.)
 
 > **Note:** When Puppet master is running as a Rack application, the `config.ru` file must explicitly set `--confdir` to the system confdir. The example `config.ru` file provided with the Puppet source does this.
 
 {:.section}
 ### Configuration
 
-Puppet's confdir can be specified on the command line with the `--confdir` option, but it can't be set via puppet.conf. (This is because it needs the `confdir` to even find the config file.) If `--confdir` isn't specified when a Puppet application is started, it will always use the default confdir location.
+Puppet's confdir can be specified on the command line with the `--confdir` option, but it can't be set
+via puppet.conf. (This is because it needs the `confdir` to even find the config file.) If `--confdir`
+isn't specified when a Puppet application is started, it will always use the default confdir location.
 
-Puppet Server uses the `jruby-puppet.master-conf-dir` setting [in puppetserver.conf][puppetserver_conf] to configure its confdir. Note that if you're using a non-default confdir, you must also specify `--confdir` whenever you run commands like `puppet module` or `puppet cert` to ensure they use the same directories as Puppet Server.
+Puppet Server uses the `jruby-puppet.master-conf-dir` setting [in puppetserver.conf][puppetserver_conf]
+to configure its confdir. Note that if you're using a non-default confdir, you must also specify
+`--confdir` whenever you run commands like `puppet module` to ensure they use the same directories as
+Puppet Server.
 
 {:.concept}
 ## Interpolation of `$confdir`

docs/_openvox_8x/dirs_ssldir.markdown

@@ -89,7 +89,10 @@ The `ssldir` has the following structure:
 * `crl.pem` --- A copy of the certificate revocation list (CRL) retrieved from the CA, for use by Puppet agent or Puppet master. Mode: 0644. Setting: [`hostcrl`][hostcrl].
 * `private` _(directory)_ --- Usually does not contain any files. Mode: 0750. Setting: [`privatedir`][privatedir].
     * `password` --- The password to a node's private key. Usually not present. The conditions in which this file would exist are not defined. Mode: 0640. Setting: [`passfile`][passfile].
-* `private_keys` _(directory)_ --- Contains any private keys present on this node. This should generally only include the node's own private key, although on the CA it might also contain any private keys created by the `puppet cert generate` command. It will never contain the private key for the CA certificate. Mode: 0750. Setting: [`privatekeydir`][privatekeydir].
+* `private_keys` _(directory)_ --- Contains any private keys present on this node. This should generally
+    only include the node's own private key, although on the CA it might also contain any private keys
+    created by the `puppetserver ca generate` command. It will never contain the private key for the CA
+    certificate. Mode: 0750. Setting: [`privatekeydir`][privatekeydir].
     * `<certname>.pem` --- This node's private key. Mode: 0600. Setting: [`hostprivkey`][hostprivkey].
 * `public_keys` _(directory)_ --- Contains any public keys generated by this node in preparation for generating a CSR. Mode: 0755. Setting: [`publickeydir`][publickeydir].
     * `<certname>.pem` --- This node's public key. Mode: 0644. Setting: [`hostpubkey`][hostpubkey].

docs/_openvox_8x/dirs_vardir.markdown

@@ -22,7 +22,9 @@ The cache directory for Puppet agent and Puppet apply can be found at one of the
 
 When Puppet is running as either root, a Windows user with administrator privileges, or the `puppet` user, it will use a system-wide cache directory. When running as a non-root user, it will use a cache directory in that user's home directory.
 
-The system cache directory is what you usually want to use, since you will usually run Puppet's commands and services as root or `puppet`. (Note that admin commands like `puppet cert` must be run with `sudo` to use the same directories as Puppet agent or Puppet master.)
+The system cache directory is what you usually want to use, since you will usually run Puppet's commands
+and services as root or `puppet`. (Note that admin commands like `puppetserver ca` must be run with
+`sudo` to use the same directories as Puppet agent or Puppet master.)
 
 > **Note:** When Puppet master is running as a Rack application, the `config.ru` file must explicitly set `--vardir` to the system cache directory. The example `config.ru` file provided with the Puppet source does this.
 

docs/_openvox_8x/http_api/http_certificate_status.md

@@ -22,17 +22,17 @@ Find
     GET /puppet-ca/v1/certificate_status/:certname?environment=:environment
     Accept: application/json, text/pson
 
-Retrieve information about the specified certificate. Similar to `puppet
-cert --list :certname`.
+Retrieve information about the specified certificate. Similar to `puppetserver
+ca list --certname :certname`.
 
 Search
 -----
 
     GET /puppet-ca/v1/certificate_statuses/:any_key?environment=:environment
     Accept: application/json, text/pson
 
-Retrieve information about all known certificates. Similar to `puppet
-cert --list --all`. A key is required but is ignored.
+Retrieve information about all known certificates. Similar to `puppetserver
+ca list --all`. A key is required but is ignored.
 
 Save
 ----
@@ -43,9 +43,9 @@ Save
 Change the status of the specified certificate. The desired state
 is sent in the body of the PUT request as a one-item PSON hash; the two
 allowed complete hashes are `{"desired_state":"signed"}` (for signing a
-certificate signing request; similar to `puppet cert --sign`) and
+certificate signing request; similar to `puppetserver ca sign`) and
 `{"desired_state":"revoked"}` (for revoking a certificate; similar to
-`puppet cert --revoke`).
+`puppetserver ca revoke`).
 
 Note that revoking a certificate will not clean up other info about the
 host - see the DELETE request for more information.
@@ -59,7 +59,7 @@ Delete
 Cause the certificate authority to discard all SSL information regarding
 a host (including any certificates, certificate requests, and keys).
 This does not revoke the certificate if one is present; if you wish to
-emulate the behavior of `puppet cert --clean`, you must PUT a
+emulate the behavior of `puppetserver ca clean`, you must PUT a
 `desired_state` of `revoked` before deleting the host’s SSL information.
 
 If the deletion was successful, it returns a string listing the deleted

docs/_openvox_8x/quick_start_master_agent_communication.markdown

@@ -39,7 +39,7 @@ From the command line on your Puppet master, run:
 
 From the command line on each Puppet agent, run `puppet agent -t`.
 
-From your Puppet master, run `puppet cert list` and then `puppet cert sign <AGENT NAME>` to sign the certificates of your Puppet agents.
+From your Puppet Server, run `puppetserver ca list` and then `puppetserver ca sign --certname <AGENT NAME>` to sign the certificates of your Puppet agents.
 
 > That’s it! Your Puppet configuration is ready to go.
 

docs/_openvox_8x/ssl_attributes_extensions.markdown

@@ -55,7 +55,7 @@ See the respective sections below for information about how each hash is used an
 
 ### Default behavior
 
-The `puppet cert list` command doesn't display custom attributes for pending CSRs, and [basic autosigning (autosign.conf)][autosign_basic] doesn't check them before signing.
+The `puppetserver ca list` command doesn't display custom attributes for pending CSRs, and [basic autosigning (autosign.conf)][autosign_basic] doesn't check them before signing.
 
 ### Configurable behavior
 
@@ -65,7 +65,7 @@ The simplest use is to embed a pre-shared key of some kind in the custom attribu
 
 A more complex use might be to embed an instance-specific ID and write a policy executable that can check it against a list of your recently requested instances on a public cloud, like EC2 or GCE.
 
-If you use Puppet Server 2.5.0 or newer, you can also sign requests using authorization extensions and the `--allow-authorization-extensions` flag for `puppet cert sign`.
+You can also sign requests using authorization extensions and the `--allow-authorization-extensions` flag for `puppetserver ca sign`.
 
 ### Manually checking for custom attributes in CSRs
 
@@ -108,8 +108,10 @@ See [the page on facts and special variables][trusted_hash] for more information
 
 Visibility of extensions is somewhat limited:
 
-* The `puppet cert list` command _does not_ display custom attributes for any pending CSRs, and [basic autosigning (autosign.conf)][autosign_basic] doesn't check them before signing. Either use [policy-based autosigning][autosign_policy] or inspect CSRs manually with the `openssl` command (see below).
-* The `puppet cert print` command _does_ display any extensions in a signed certificate, under the "X509v3 extensions" section.
+* The `puppetserver ca list` command _does not_ display custom attributes for any pending CSRs, and
+  [basic autosigning (autosign.conf)][autosign_basic] doesn't check them before signing. Either use
+  [policy-based autosigning][autosign_policy] or inspect CSRs manually with the `openssl` command (see below).
+* The `puppet ssl show` command displays any extensions in the local node's signed certificate, under the "X509v3 extensions" section.
 
 Puppet's authorization system (`auth.conf`) does not use certificate extensions, but [Puppet Server's authorization system](/puppetserver/latest/config_file_auth.html), which is based on `trapperkeeper-authorization`, can use extensions in the ppAuthCertExt OID range, and requires them for requests to write access rules.
 
@@ -141,7 +143,9 @@ Note that every extension is preceded by any combination of two characters (`.$`
 
 Any Puppet-specific OIDs (see below) appear as numeric strings when using OpenSSL.
 
-You can check for extensions in a signed certificate by running `puppet cert print <name>`. In the output, look for the "X509v3 extensions" section. Any of the Puppet-specific registered OIDs (see below) appear as their descriptive names:
+You can check for extensions in a signed certificate by running `puppet ssl show` on the agent node
+that holds the certificate. In the output, look for the "X509v3 extensions" section. Any of the
+Puppet-specific registered OIDs (see below) appear as their descriptive names:
 
 ```
 X509v3 extensions:
@@ -221,7 +225,8 @@ To start over, do the following:
 
 **On the CA Puppet master:**
 
-* Check whether a signed certificate exists; use `puppet cert list --all` to see the complete list. If it exists, revoke and delete it with `puppet cert clean <name>`.
+* Check whether a signed certificate exists; use `puppetserver ca list --all` to see the complete list.
+  If it exists, revoke and delete it with `puppetserver ca clean --certname <name>`.
 * Check whether a CSR for the node exists; it will be in `$ssldir/ca/requests/<name>.pem`. If it exists, delete it.
 
 After you've done that, you can start over.