Details
-
Task
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
PUP 6.4.0
-
None
-
Coremunity
-
Platform Core KANBAN
-
Bug Fix
-
If the agent doesn't have a client cert yet, then `puppet agent --fingerprint` will now print the SHA256 digest of the certificate request (CSR) like it used to do in Puppet < 6.4. Note this the digest of the DER encoded certificate or CSR.
-
Needs Assessment
Description
Prior to 6.4, puppet agent --fingerprint would print the hash of the client cert or client's CSR. In the process it would generate a private key, download the CA cert and CRL, attempt to download the client cert, and print the cert's fingerprint. If that failed it would attempt to load the client's CSR locally or retrieve the CSR from the server, and print its fingerprint.
Note puppet agent --fingerprint never submitted the CSR, but it might seem to work if a previous agent run had already submitted the CSR, and either due to manual intervention or autosigning, the CSR is signed before puppet agent --fingerprint is run.
In 6.4 the option doesn't work, because it's trying to pass onetime: true keyword arguments, which the state machine doesn't accept. It also doesn't print the hash of the CSR, which is important for things like PUP-9715.
Attachments
Issue Links
- relates to
-
SERVER-2847 puppet cert sign lacks hashsum parameter
-
- Closed
-