Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9720

puppet agent --fingerprint is broken


    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      If the agent doesn't have a client cert yet, then `puppet agent --fingerprint` will now print the SHA256 digest of the certificate request (CSR) like it used to do in Puppet < 6.4. Note this the digest of the DER encoded certificate or CSR.
    • QA Risk Assessment:
      Needs Assessment


      Prior to 6.4, puppet agent --fingerprint would print the hash of the client cert or client's CSR. In the process it would generate a private key, download the CA cert and CRL, attempt to download the client cert, and print the cert's fingerprint. If that failed it would attempt to load the client's CSR locally or retrieve the CSR from the server, and print its fingerprint.

      Note puppet agent --fingerprint never submitted the CSR, but it might seem to work if a previous agent run had already submitted the CSR, and either due to manual intervention or autosigning, the CSR is signed before puppet agent --fingerprint is run.

      In 6.4 the option doesn't work, because it's trying to pass onetime: true keyword arguments, which the state machine doesn't accept. It also doesn't print the hash of the CSR, which is important for things like PUP-9715.


          Issue Links



              • Assignee:
                josh Josh Cooper
                josh Josh Cooper
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created:

                  Zendesk Support