[PUP-2018] `puppet certificate generate` Generates Two CSRs in One Run Created: 2014/03/22 Updated: 2016/12/16 Resolved: 2016/08/20
|Affects Version/s:||PUP 3.4.3, PUP 3.7.1|
|Fix Version/s:||PUP 4.6.1|
|Reporter:||Riley Shott||Assignee:||John Duarte|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
One Puppet Master & separate CA server (both configured as below):
|Sprint:||Client 2016-08-10, Client 2016-08-24|
|Release Notes:||Bug Fix|
|Release Notes Summary:||This fixes a bug in the `puppet certificate generate` command where it attempted to generate a CSR for the FQDN for the host when the same FQDN was provided as the remote.|
When I run the following on my Puppet Master:
`puppet certificate generate --verbose --ca-location remote HOSTNAME`
I receive the following:
The remote Puppet CA does successfully sign the request (autosign is configured), but the command will always exit 1 because of the second CSR creation (which is unnecessary).
I have noticed that if the Puppet Master already has a CSR in its '*/ssl/certificate_requests/' directory, the command runs as expected:
|Comment by Lee Lowder [ 2015/02/02 ]|
This issue exists in PE 3.2.x - PE 3.7.1
|Comment by R.I.Pienaar [ 2016/07/10 ]|
Eric Sorenson repro steps..I dont think puppet cert can talk to remote CAs so not sure if it does the exact same thing
Here I expect just one cert made but it makes the new one and then the fqdn one - which the master already have and so i get the wrong key error
If I set --certname rip.mcollective (to match the requested cert) it attempts to make the same cert twice.
|Comment by R.I.Pienaar [ 2016/07/12 ]|
side note, this breaks the mcollective install docs, be good to get this fixed
|Comment by Adrien Thebo [ 2016/08/15 ]|
Reading more information related to this ticket leads me to suspect that there might be multiple bugs that trigger this issue, but I've found at least one of them. The bug that I've found is due to how we generate a CSR the first time a HTTP connection is requested. In normal operation Puppet will request a certificate from the CA the first time that certificate is needed; in practice this is any authenticated HTTP request to the master. puppet certificate generate breaks some assumptions around this though, because that command will make requests that would normally require a certificate but when no certificate is available. If the command is used to submit a CSR for another node, then the command will actually submit a CSR and request a cert for the node itself before submitting the request for the original node. In the case where a node is requesting a certificate for itself though, Puppet will effectively submit a CSR and request a certificate so that it can then resubmit that CSR and request the same cert. This is where we get that duplicate CSR submission.
|Comment by John Duarte [ 2016/08/20 ]|
Validated using a pre-release build of puppet-agent at SHA ad760e5 containing puppet at SHA 4e7bbb0.
The puppet certificate generate command no longer attempts to create a CSR for the FQDN of the host if the same FQDN is passed as the remote value.