The puppetserver ca generate --ca-client command performs an offline generation of a new certificate. This is useful in order to repair the agent certificate of a CA server. To ensure it is the only process manipulating CA state, the command does a HTTPS status check on the Puppet Server hostname and fails if the result is something other than a TCP connection refused:
https://github.com/puppetlabs/puppetserver-ca-cli/blob/1.8.0/lib/puppetserver/ca/action/generate.rb#L170-L172
This check is prone to false positives if there is a DNS configuration issue, or proxy that generates a different response than TCP connection refused.
Reproduction Case
- Install Puppet Server 6.12.0 on CentOS 7:
yum install -y http://yum.puppetlabs.com/puppet6-release-el-7.noarch.rpm
|
yum install -y puppetserver-6.12.0
|
- Bootstrap the Puppet Server CA:
/opt/puppetlabs/bin/puppetserver ca setup
|
- Simulate a DNS outage/misconfiguration by configuring Puppet's server setting to point at an unresolvable hostname:
/opt/puppetlabs/bin/puppet config set server dns-outage.invalid
|
- Attempt to generate a new CA client certificate:
systemctl stop puppetserver
|
/opt/puppetlabs/bin/puppetserver ca generate --ca-client --certname new-cert.test
|
Outcome
Certificate generation fails because the error produced by the Puppet Server health check is not a TCP connection refusal:
# /opt/puppetlabs/bin/puppetserver ca generate --ca-client --certname new-cert.test
|
Fatal error when running action 'generate'
|
Error: Failed connecting to https://dns-outage.invalid:8140/status/v1/simple/ca
|
Root cause: Failed to open TCP connection to dns-outage.invalid:8140 (getaddrinfo: Name or service not known)
|
Expected Outcome
Certificate generation succeeds because the puppetserver service is not running.
Bug
Major
SERVER-3078 Document `--force` flag for `puppetserver ca generate` action
