The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #6112

Puppet cert generate doesn't play nice with autosigning

Added by Jeff McCune about 3 years ago. Updated 6 months ago.

Status:ClosedStart date:02/02/2011
Priority:NormalDue date:
Assignee:Josh Partlow% Done:

0%

Category:SSL
Target version:3.3.0
Affected Puppet version:development Branch:https://github.com/puppetlabs/puppet/pull/1750
Keywords:error cert_generate autosign customer

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

Overview

Running puppet cert in 2.6.next f135a64 performs the desired certificate generation, but displays a nasty error message int he process.

Steps to reproduce

$ puppet cert --confdir ~/.puppet/conf_enc --generate foo.bar.baz --certdnsnames foo:foo.bar.baz:puppet
notice: foo.bar.baz has a waiting certificate request
notice: Signed certificate request for foo.bar.baz
notice: Removing file Puppet::SSL::CertificateRequest foo.bar.baz at '/Users/jeff/.puppet/var/ssl/ca/requests/foo.bar.baz.pem'
notice: Removing file Puppet::SSL::CertificateRequest foo.bar.baz at '/Users/jeff/.puppet/var/ssl/certificate_requests/foo.bar.baz.pem'
err: Could not call generate: Could not find certificate request for foo.bar.baz

$ echo $?
0

$ puppet cert --print foo.bar.baz
(Works as expected, certificate was generated and signed)

Expected Behavior

The error shouldn’t be displayed.

History

#1 Updated by Nigel Kersten about 3 years ago

  • Status changed from Unreviewed to Accepted
  • Target version set to 2.6.x

#2 Updated by James Turnbull about 3 years ago

  • Target version changed from 2.6.x to 2.6.6

#3 Updated by James Turnbull about 3 years ago

  • Target version changed from 2.6.6 to 2.6.x

#4 Updated by Dustin Mitchell over 2 years ago

  • Target version changed from 2.6.x to 2.7.x

I can verify this is still present in 2.7.2:

[root@relabs-puppet.build.mtv1 repos]# puppet —version 2.7.1 [root@relabs-puppet.build.mtv1 repos]# puppetca —generate bing.com notice: bing.com has a waiting certificate request notice: Signed certificate request for bing.com notice: Removing file Puppet::SSL::CertificateRequest bing.com at ‘/var/lib/puppet/ssl-master/ca/requests/bing.com.pem’ notice: Removing file Puppet::SSL::CertificateRequest bing.com at ‘/var/lib/puppet/ssl-master/certificate_requests/bing.com.pem’ err: Could not call generate: Could not find certificate request for bing.com

#5 Updated by Nigel Kersten over 2 years ago

  • Status changed from Accepted to Needs More Information

We need more info. I just tried replicating this and couldn’t do it on 2.6.x or 2.7.x

#6 Updated by Mark Phillips over 2 years ago

Hmm, I’ve just got this on PE 1.2.4 too:

root@mgrl002:/etc/puppetlabs/puppet# facter puppetversion
2.6.9 (Puppet Enterprise 1.2.4)

root@mgrl002:/etc/puppetlabs/puppet# puppet cert --generate dashboard
notice: dashboard has a waiting certificate request
notice: Signed certificate request for dashboard
notice: Removing file Puppet::SSL::CertificateRequest dashboard at '/var/opt/lib/pe-puppet/ssl/ca/requests/dashboard.pem'
notice: Removing file Puppet::SSL::CertificateRequest dashboard at '/var/opt/lib/pe-puppet/ssl/certificate_requests/dashboard.pem'
err: Could not call generate: Could not find certificate request for dashboard

root@mgrl002:/etc/puppetlabs/puppet# puppet cert -l --all
+ dashboard (23:DF:3C:DA:D7:0A:5F:5C:C3:80:85:21:78:D3:F0:9F)
+ mgrl002   (5A:72:71:61:B1:3B:BA:45:83:E7:DE:4D:F7:DD:81:8B)

root@mgrl002:/etc/puppetlabs/puppet# puppet cert --print dashboard
Certificate:
    Data:
[snip]

#7 Updated by Celia Cottle almost 2 years ago

A customer had this happen on a Puppet 2.7.12, PE 2.5.1, SLES Enterprise 11 master. Same deal, cert generate is run, displays usual success messages and ends with error that “err: Could not call generate: Could not find certificate request for mastername”. A check shows that the cert was properly generated, however.

#8 Updated by Amos Shapira over 1 year ago

I’m getting this also on Scientific Linux (=RHEL/CentOS) 6.2 with Puppet 2.7.18, ruby 1.8.7.

#9 Updated by Dennis Matotek over 1 year ago

Me too. See full debug and trace. Means that I'‘ have to do some thing like this when I automate the install of the puppet master.

  exec {'generate_master_cert':
    command => '/usr/bin/puppet cert generate puppetca.mylocal --dns_alt_names=puppetca,puppet.mylocal ; /bin/true',
    creates => '/var/lib/puppet/ssl/private_keys/puppetca.mylocal.pem',
    before  => File['/etc/httpd/conf.d/puppetmaster.conf'],
  }

(that is unless someone has a better idea :))

AWS - redhat 6.3
rpm -qa |grep puppet
puppetlabs-release-6-5.noarch
hiera-puppet-1.0.0-1.el6.noarch
puppet-dashboard-1.2.11-1.el6.noarch
puppet-2.7.19-1.el6.noarch
puppetdb-1.0.0-1.el6.noarch
puppet-server-2.7.19-1.el6.noarch
puppetdb-terminus-1.0.0-1.el6.noarch
# puppet cert generate puppetca.mylocal --dns_alt_names=puppetca,puppet.mylocal --trace --debug ;echo $?
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Failed to load library 'ldap' for feature 'ldap'
debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: /File[/var/lib/puppet/ssl/ca/requests]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/ca/requests
debug: /File[/var/lib/puppet/ssl/ca/requests]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/ca/requests
debug: /File[/var/lib/puppet/ssl/ca/requests]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/ca/requests
debug: /File[/var/lib/puppet/ssl/ca/requests]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/ca/requests
debug: /File[/var/lib/puppet/ssl/public_keys]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/public_keys
debug: /File[/var/lib/puppet/ssl/public_keys]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/public_keys
debug: /File[/var/lib/puppet/ssl/public_keys]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/public_keys
debug: /File[/var/lib/puppet/ssl/public_keys]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/public_keys
debug: /File[/etc/puppet]/seluser: Found seluser default 'system_u' for /etc/puppet
debug: /File[/etc/puppet]/selrole: Found selrole default 'object_r' for /etc/puppet
debug: /File[/etc/puppet]/seltype: Found seltype default 'puppet_etc_t' for /etc/puppet
debug: /File[/etc/puppet]/selrange: Found selrange default 's0' for /etc/puppet
debug: /File[/var/lib/puppet/ssl/private_keys]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/private_keys
debug: /File[/var/lib/puppet/ssl/private_keys]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/private_keys
debug: /File[/var/lib/puppet/ssl/private_keys]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/private_keys
debug: /File[/var/lib/puppet/ssl/private_keys]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/private_keys
debug: /File[/var/lib/puppet/state]/seluser: Found seluser default 'system_u' for /var/lib/puppet/state
debug: /File[/var/lib/puppet/state]/selrole: Found selrole default 'object_r' for /var/lib/puppet/state
debug: /File[/var/lib/puppet/state]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/state
debug: /File[/var/lib/puppet/state]/selrange: Found selrange default 's0' for /var/lib/puppet/state
debug: /File[/var/log/puppet]/seluser: Found seluser default 'system_u' for /var/log/puppet
debug: /File[/var/log/puppet]/selrole: Found selrole default 'object_r' for /var/log/puppet
debug: /File[/var/log/puppet]/seltype: Found seltype default 'puppet_log_t' for /var/log/puppet
debug: /File[/var/log/puppet]/selrange: Found selrange default 's0' for /var/log/puppet
debug: /File[/var/lib/puppet/ssl/ca/private]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/ca/private
debug: /File[/var/lib/puppet/ssl/ca/private]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/ca/private
debug: /File[/var/lib/puppet/ssl/ca/private]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/ca/private
debug: /File[/var/lib/puppet/ssl/ca/private]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/ca/private
debug: /File[/var/lib/puppet/ssl/certs]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/certs
debug: /File[/var/lib/puppet/ssl/certs]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/certs
debug: /File[/var/lib/puppet/ssl/certs]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/certs
debug: /File[/var/lib/puppet/ssl/certs]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/certs
debug: /File[/etc/puppet/autosign.conf]/seluser: Found seluser default 'system_u' for /etc/puppet/autosign.conf
debug: /File[/etc/puppet/autosign.conf]/selrole: Found selrole default 'object_r' for /etc/puppet/autosign.conf
debug: /File[/etc/puppet/autosign.conf]/seltype: Found seltype default 'puppet_etc_t' for /etc/puppet/autosign.conf
debug: /File[/etc/puppet/autosign.conf]/selrange: Found selrange default 's0' for /etc/puppet/autosign.conf
debug: /File[/var/lib/puppet/lib]/seluser: Found seluser default 'system_u' for /var/lib/puppet/lib
debug: /File[/var/lib/puppet/lib]/selrole: Found selrole default 'object_r' for /var/lib/puppet/lib
debug: /File[/var/lib/puppet/lib]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/lib
debug: /File[/var/lib/puppet/lib]/selrange: Found selrange default 's0' for /var/lib/puppet/lib
debug: /File[/var/lib/puppet/ssl/ca]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/ca
debug: /File[/var/lib/puppet/ssl/ca]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/ca
debug: /File[/var/lib/puppet/ssl/ca]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/ca
debug: /File[/var/lib/puppet/ssl/ca]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/ca
debug: /File[/etc/puppet/routes.yaml]/seluser: Found seluser default 'system_u' for /etc/puppet/routes.yaml
debug: /File[/etc/puppet/routes.yaml]/selrole: Found selrole default 'object_r' for /etc/puppet/routes.yaml
debug: /File[/etc/puppet/routes.yaml]/seltype: Found seltype default 'puppet_etc_t' for /etc/puppet/routes.yaml
debug: /File[/etc/puppet/routes.yaml]/selrange: Found selrange default 's0' for /etc/puppet/routes.yaml
debug: /File[/var/lib/puppet/ssl/private]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/private
debug: /File[/var/lib/puppet/ssl/private]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/private
debug: /File[/var/lib/puppet/ssl/private]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/private
debug: /File[/var/lib/puppet/ssl/private]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/private
debug: /File[/var/lib/puppet]/seluser: Found seluser default 'system_u' for /var/lib/puppet
debug: /File[/var/lib/puppet]/selrole: Found selrole default 'object_r' for /var/lib/puppet
debug: /File[/var/lib/puppet]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet
debug: /File[/var/lib/puppet]/selrange: Found selrange default 's0' for /var/lib/puppet
debug: /File[/var/lib/puppet/ssl/certificate_requests]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/certificate_requests
debug: /File[/var/lib/puppet/ssl/certificate_requests]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/certificate_requests
debug: /File[/var/lib/puppet/ssl/certificate_requests]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/certificate_requests
debug: /File[/var/lib/puppet/ssl/certificate_requests]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/certificate_requests
debug: /File[/var/run/puppet]/seluser: Found seluser default 'system_u' for /var/run/puppet
debug: /File[/var/run/puppet]/selrole: Found selrole default 'object_r' for /var/run/puppet
debug: /File[/var/run/puppet]/seltype: Found seltype default 'puppet_var_run_t' for /var/run/puppet
debug: /File[/var/run/puppet]/selrange: Found selrange default 's0' for /var/run/puppet
debug: /File[/var/lib/puppet/ssl/ca/signed]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl/ca/signed
debug: /File[/var/lib/puppet/ssl/ca/signed]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl/ca/signed
debug: /File[/var/lib/puppet/ssl/ca/signed]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl/ca/signed
debug: /File[/var/lib/puppet/ssl/ca/signed]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl/ca/signed
debug: /File[/var/lib/puppet/ssl]/seluser: Found seluser default 'system_u' for /var/lib/puppet/ssl
debug: /File[/var/lib/puppet/ssl]/selrole: Found selrole default 'object_r' for /var/lib/puppet/ssl
debug: /File[/var/lib/puppet/ssl]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/ssl
debug: /File[/var/lib/puppet/ssl]/selrange: Found selrange default 's0' for /var/lib/puppet/ssl
debug: /File[/var/lib/puppet/facts]/seluser: Found seluser default 'system_u' for /var/lib/puppet/facts
debug: /File[/var/lib/puppet/facts]/selrole: Found selrole default 'object_r' for /var/lib/puppet/facts
debug: /File[/var/lib/puppet/facts]/seltype: Found seltype default 'puppet_var_lib_t' for /var/lib/puppet/facts
debug: /File[/var/lib/puppet/facts]/selrange: Found selrange default 's0' for /var/lib/puppet/facts
debug: /File[/etc/puppet/routes.yaml]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/etc/puppet/autosign.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/ca]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl]/ensure: created
debug: /File[/var/lib/puppet/ssl/ca]/ensure: created
debug: /File[/var/lib/puppet/ssl/ca/signed]/ensure: created
debug: /File[/var/lib/puppet/ssl/private_keys]/ensure: created
debug: /File[/var/lib/puppet/ssl/public_keys]/ensure: created
debug: /File[/var/lib/puppet/ssl/certs]/ensure: created
debug: /File[/var/lib/puppet/ssl/ca/private]/ensure: created
debug: /File[/var/lib/puppet/ssl/private]/ensure: created
debug: /File[/var/lib/puppet/ssl/ca/requests]/ensure: created
debug: /File[/var/lib/puppet/ssl/certificate_requests]/ensure: created
debug: Finishing transaction 70072904089340
info: Creating a new SSL key for ca
info: Creating a new SSL certificate request for ca
info: Certificate Request fingerprint (md5): 64:24:4F:6B:CF:51:00:7A:19:BB:DE:F8:70:7F:A6:8A
notice: Signed certificate request for ca
notice: Rebuilding inventory file
debug: Using cached certificate for ca
info: Creating a new certificate revocation list
info: Creating a new SSL key for puppetca.mylocal
info: Creating a new SSL certificate request for puppetca.mylocal
info: Certificate Request fingerprint (md5): 97:57:AC:45:36:51:20:EB:12:51:16:D5:16:91:F1:45
notice: puppetca.mylocal has a waiting certificate request
debug: Using cached certificate for ca
debug: Using cached certificate_request for puppetca.mylocal
notice: Signed certificate request for puppetca.mylocal
notice: Removing file Puppet::SSL::CertificateRequest puppetca.mylocal at '/var/lib/puppet/ssl/ca/requests/puppetca.mylocal.pem'
notice: Removing file Puppet::SSL::CertificateRequest puppetca.mylocal at '/var/lib/puppet/ssl/certificate_requests/puppetca.mylocal.pem'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:262:in `sign'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:138:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:40:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:39:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:39:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:22:in `send'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:22:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:74:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/application/cert.rb:190:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:317:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:69:in `execute'
/usr/bin/puppet:4
err: Could not call generate: Could not find certificate request for puppetca.mylocal
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:262:in `sign'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:138:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:40:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:39:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:39:in `generate'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:22:in `send'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:22:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:74:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/application/cert.rb:190:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:317:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:69:in `execute'
/usr/bin/puppet:4
Could not find certificate request for puppetca.mylocal
24

#10 Updated by John Guthrie over 1 year ago

This is still happening in 2.7.19.

#11 Updated by Andrew Parker over 1 year ago

  • Target version deleted (2.7.x)

#12 Updated by Andrew Parker over 1 year ago

As the 2.7.x line is winding down, I am removing the target at 2.7.x from tickets in the system. The 2.7 line should only receive fixes for major problems (crashes, for instance) or security problems.

#13 Updated by Charlie Sharpsteen about 1 year ago

  • Keywords changed from error cert generate to error cert generate customer

#15 Updated by Charlie Sharpsteen 11 months ago

  • Assignee set to Charlie Sharpsteen

#16 Updated by Charlie Sharpsteen 11 months ago

  • Status changed from Needs More Information to Investigating

I suspect what is going on here is that the certificate request is being auto-signed during generation. Then, puppet cert makes an attempt to explicitly sign the request but fails. Will look into this.

#17 Updated by Charlie Sharpsteen 11 months ago

  • Category changed from logging to SSL
  • Status changed from Investigating to Accepted
  • Assignee deleted (Charlie Sharpsteen)
  • Keywords changed from error cert generate customer to error cert_generate autosign customer

Autosigning is a very likely culprit:

[root@puppetmaster ~]# rm -rf /var/lib/puppet/ssl

[root@puppetmaster ~]# puppet cert generate puppetagent.boxnet
Notice: Signed certificate request for ca
Notice: Rebuilding inventory file
Notice: puppetagent.boxnet has a waiting certificate request
Notice: Signed certificate request for puppetagent.boxnet
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/ca/requests/puppetagent.boxnet.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/certificate_requests/puppetagent.boxnet.pem'


[root@puppetmaster ~]# puppet cert clean puppetagent.boxnet
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate puppetagent.boxnet at '/var/lib/puppet/ssl/ca/signed/puppetagent.boxnet.pem'
Notice: Removing file Puppet::SSL::Certificate puppetagent.boxnet at '/var/lib/puppet/ssl/certs/puppetagent.boxnet.pem'
Notice: Removing file Puppet::SSL::Key puppetagent.boxnet at '/var/lib/puppet/ssl/private_keys/puppetagent.boxnet.pem'


[root@puppetmaster ~]# echo 'puppetagent.boxnet' > /etc/puppet/autosign.conf


[root@puppetmaster ~]# puppet cert generate puppetagent.boxnet
Notice: puppetagent.boxnet has a waiting certificate request
Notice: Signed certificate request for puppetagent.boxnet
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/ca/requests/puppetagent.boxnet.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/certificate_requests/puppetagent.boxnet.pem'
Error: Could not find certificate request for puppetagent.boxnet

When using puppet cert generate, Puppet first generates a certificate request and then signs it. During the generation step, the save method of the CertificateRequest class is called which triggers autosigning.

To summarize:

  • Certificate generation should take auto signing into account.

  • It appears autosigning doesn’t consult the dns_alt_names parameter.

  • We should probably log an info or debug message whenever a cert is autosigned so this behavior is easier to detect in the future.

#18 Updated by Charlie Sharpsteen 11 months ago

  • Subject changed from Puppet cert generate error message when it succeeds to Puppet cert generate doesn't play nice with autosigning

#19 Updated by Josh Partlow 10 months ago

  • Status changed from Accepted to In Topic Branch Pending Review
  • Branch set to https://github.com/puppetlabs/puppet/pull/1750

#20 Updated by Josh Partlow 9 months ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release

merged in 45405847

#21 Updated by Andrew Parker 9 months ago

  • Target version set to 3.3.0

There were some problems around the tests for this that were resolved in https://github.com/puppetlabs/puppet/commit/c113c6568742f9774bfd1f0c3954a26996875bfa

#22 Updated by Josh Partlow 9 months ago

  • Assignee set to Josh Partlow

#23 Updated by Andrew Parker 6 months ago

  • Status changed from Merged - Pending Release to Closed

This was released in 3.3.0

#24 Updated by Andrew Parker 6 months ago

Released in 3.3.0

#25 Updated by Andrew Parker 6 months ago

Released in 3.3.0

Also available in: Atom PDF