Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2441

Return 200 when server already has agent's CSR

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.y
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      Server returns 200 when it receives an agent CSR request that exactly matches the CSR it already has saved for that certname.

      Show
      Server returns 200 when it receives an agent CSR request that exactly matches the CSR it already has saved for that certname.
    • Team:
      Server
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently, if a server has a CSR on file for a given certname, and the agent submits a second one, the server will respond with a 400, regardless of whether the two CSRs are the same or different. This means that the agent can't tell whether the CSR the server has matches its current private keys or not, and therefore doesn't know whether it should continue waiting for a cert matching its keys, or clear state and start over, as it should if the server has a CSR that doesn't match the current state (because in this case the cert the server would sign would not be valid for the agent).

      We should update the way the server responds to CSR requests to distinguish these two cases:
      1) if the CSRs match exactly, return 200 as a no-op server-side, and the agent can just proceed as if no previous CSR had been submitted.
      2) if the CSRs do not match, return 409 Conflict, to allow the agent to tell the user that the server has an invalid CSR that needs to be cleaned out before cert bootstrapping can continue.

      This change should be backwards compatible, because the agent currently proceeds on a 200 and raises the server's error on anything else. This change would essentially mean we are just returning 200 in more cases than previously.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                maggie Maggie Dreyer
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support