Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Normal
-
Resolution: Won't Do
-
Affects Version/s: None
-
Fix Version/s: SERVER 6.y
-
Component/s: None
-
Labels:None
-
Template:customfield_10700 293468
-
Acceptance Criteria:
-
Epic Link:
-
Team:Server
-
QA Risk Assessment:Needs Assessment
Description
Currently, if a server has a CSR on file for a given certname, and the agent submits a second one, the server will respond with a 400, regardless of whether the two CSRs are the same or different. This means that the agent can't tell whether the CSR the server has matches its current private keys or not, and therefore doesn't know whether it should continue waiting for a cert matching its keys, or clear state and start over, as it should if the server has a CSR that doesn't match the current state (because in this case the cert the server would sign would not be valid for the agent).
We should update the way the server responds to CSR requests to distinguish these two cases:
1) if the CSRs match exactly, return 200 as a no-op server-side, and the agent can just proceed as if no previous CSR had been submitted.
2) if the CSRs do not match, return 409 Conflict, to allow the agent to tell the user that the server has an invalid CSR that needs to be cleaned out before cert bootstrapping can continue.
This change should be backwards compatible, because the agent currently proceeds on a 200 and raises the server's error on anything else. This change would essentially mean we are just returning 200 in more cases than previously.