Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3036

CA CLI `generate` action will throw with stacktrace if CA files are missing



    • Bug
    • Status: Ready for Engineering
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • None
    • 44816
    • 1
    • Needs Assessment


      If puppetserver ca generate --ca-client is called when the CA has not been properly set up, the command will throw an exception:

      => puppetserver ca generate --ca-client --certname test
      Traceback (most recent call last):
      	6: from ./exe/puppetserver-ca:10:in `<main>'
      	5: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/cli.rb:94:in `run'
      	4: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:144:in `run'
      	3: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:191:in `generate_authorized_certs'
      	2: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:191:in `map'
      	1: from /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/action/generate.rb:202:in `block in generate_authorized_certs'
      /Users/aileen/code/server/puppetserver-ca-cli/lib/puppetserver/ca/local_certificate_authority.rb:158:in `sign_authorized_cert': undefined method `subject' for nil:NilClass (NoMethodError)

      This happens because if any CA files are missing when the command is run, the LocalCertificateAuthority will not attempt to load its artifacts, which means when we go to sign the generated cert, we don't have our CA signing cert.

      I think this happened during a refactor, that we started silently failing to load CA artifacts, but the usecase where the import command needs to generate its own CRL takes advantage of it (see this commit). In this case, we want to be able to create the local authority without attempting to load the artifacts.

      We should fix this to error better when files are missing, without compromising the CRL generation for import.




            Unassigned Unassigned
            maggie Maggie Dreyer
            0 Vote for this issue
            3 Start watching this issue



              Zendesk Support