Details
-
Bug
-
Status: Ready for Engineering
-
Normal
-
Resolution: Unresolved
-
None
-
None
-
None
Description
If puppetserver ca generate --ca-client is called when the CA has not been properly set up, the command will throw an exception:
=> puppetserver ca generate --ca-client --certname test
|
Traceback (most recent call last):
|
6: from ./exe/puppetserver-ca:10:in `<main>'
|
5: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/cli.rb:94:in `run'
|
4: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:144:in `run'
|
3: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:191:in `generate_authorized_certs'
|
2: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:191:in `map'
|
1: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:202:in `block in generate_authorized_certs'
|
/Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/local_certificate_authority.rb:158:in `sign_authorized_cert': undefined method `subject' for nil:NilClass (NoMethodError)
|
This happens because if any CA files are missing when the command is run, the LocalCertificateAuthority will not attempt to load its artifacts, which means when we go to sign the generated cert, we don't have our CA signing cert.
I think this happened during a refactor, that we started silently failing to load CA artifacts, but the usecase where the import command needs to generate its own CRL takes advantage of it (see this commit). In this case, we want to be able to create the local authority without attempting to load the artifacts.
We should fix this to error better when files are missing, without compromising the CRL generation for import.