Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2992

Puppet Cert problems with unsupported signing algorithm



    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.5.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:


      Since migrating our puppet masters to CentOS 7, we are unable to sign certificates from really old puppet client systems which request MD5 certificates - probably due to OpenSSL changes.

      [root@ny-puppet02 ~]# puppet cert list
        "host.example.com"               (MD5) 73:D2:D3:9E:A6:37:86:F1:1C:88:6D:8E:06:62:4C:CF
      [root@ny-puppet02 ~]# puppet cert sign host.example.com --debug --verbose
      Error: unknown message digest algorithm

      That's fine, we need to be on SHA anyway. So, in testing to get these old clients to request a cert with a different algorithm (and having problems with --digest not being respected on these old puppet versions), we were going to need to go through a few different requests to get one with the right algorithm.

      So, let's delete the pending request so a new one can come in, right?

      [root@ny-puppet02 ~]# puppet cert list
        "host.example.com"               (MD5) 73:D2:D3:9E:A6:37:86:F1:1C:88:6D:8E:06:62:4C:CF
      [root@ny-puppet02 ~]# puppet cert clean host.example.com
      Error: Could not find a serial number for host.example.com

      Hmm, how can I delete this request? Normally when I've run into that, I've run sign and then immediately clean to get rid of it, but that's not possible in this case since the sign operation errors.

      [root@ny-puppet02 ~]# puppet cert --help
      * clean:
        Revoke a host's certificate (if applicable) and remove all files
        related to that host from puppet cert's storage. This is useful when
        rebuilding hosts, since new certificate signing requests will only be
        honored if puppet cert does not have a copy of a signed certificate
        for that host. If '--all' is specified then all host certificates,
        both signed and unsigned, will be removed.

      Ok, so --all will clear unsigned certs? Let's try that.

      [root@ny-puppet02 ~]# puppet cert clean host.example.com --all
      Notice: Revoked certificate with serial 215
      Notice: Revoked certificate with serial 64
      Notice: Revoked certificate with serial 212
      Notice: Revoked certificate with serial 133
      Notice: Revoked certificate with serial 254
      Notice: Revoked certificate with serial 83

      Yeah, that's a bad idea - the host being specified in this command is ignored. Yes, it says "all host certificates", so that makes sense, but it seems to be the only option that could potentially delete an unsigned cert.

      So, a couple things:

      • Is there a way within the puppet cert workflow (instead of manipulating the cert store directly on the filesystem) to delete a pending cert request that was never signed? I'm not seeing one, and if not, there should be - I don't see any harm in having clean remove unsigned requests as well as already signed certs.
      • Should puppet cert clean host.example.com -all be annihilating all certs, when a hostname was specified? If the -all flag is going to be the only way to delete an unsigned request, it should support having a specific hostname. If it's going to remain the "nuke it all and salt the earth" option exclusively, then it should error when you try to run it with a specific hostname.


          Issue Links



              shanemadden Shane Madden
              QA Contact:
              Kurt Wall
              0 Vote for this issue
              3 Start watching this issue



                  Zendesk Support