Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
None
-
Coremunity
-
Platform Core KANBAN
-
Normal
-
32227
-
1
-
Bug Fix
-
Puppet will prevent multiple puppet processes from concurrently bootstrapping its SSL keys and certs.
Description
It appears that two rapid-fire puppet runs can cause a race condition of some kind when:
- Puppet requests a certificate from the master.
- An additional puppet run is triggered immediately, before the signed certificate is received.
- New private keys are generated - but the master has already received the original CSR.
- The master continuously returns the original certificate, which does not match the newly generated private keys / csr on the agent, from the second puppet run.
This shouldn't be possible, but I've seen it demonstrated by a customer.
It's also possible I'm misinterpreting exactly what is happening.
/cc reid for comment - he's seen the bug in the past but couldn't nail it down cohesively.