Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
PUP 4.8.0
-
None
-
- Tests exist to simulate the mismatch
-
New Feature
-
The Puppet agent will now emit a warning if it had previously submitted a CSR to a master, does not have a signed CSR, and the local CSR does not match what was previously submitted to the master.
Description
Assume the following sequence of events:
- Agent has generated public / private key pair and a CSR
- Agent has sent a CSR to the master (by way of a `puppet agent` run)
- Master has not yet signed the CSR
Note that the agents CSR includes the agents public key. Now perform the following:
- Delete the agents entire SSL directory - including the public / private key pair, CA and CSR
- Re-run `puppet agent -t`
The agent will regenerate all the SSL files.
However, instead of using the new CSR that has been created locally (that matches the newly generated public / private key pair), the agent will download the previously submitted CSR from the master. Despite there being no way of using the previously submitted CSR since the local agent no longer has a matching public key, Puppet will proceed without an error describing the circumstances.
The agent should perform a comparison of the local public key to the downloaded CSR to ensure they are a match. When they are not a match, an error should be presented to the user advising them that their master has a mismatched CSR that must be cleaned.
