[PUP-9478] puppet generate certificate gives linux permissions to ssldir Created: 2019/02/06  Updated: 2019/02/20  Resolved: 2019/02/20

Status: Closed
Project: Puppet
Component/s: Windows
Affects Version/s: PUP 5.5.3
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Nick GW Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template: PUP Bug Template
Team: Night's Watch
Sprint: PR - Triage
Method Found: Needs Assessment
QA Risk Assessment: Needs Assessment


Running `puppet certificate generate --ca-location remote $hostname`, where $hostname is the FQDN of the node, gives ssldir, as well as other files on Windows Linux-style permissions, breaking puppet.


The puppet certificate command does request and deliver the correct certificate, but the puppet agent can not open and read them:


// PS C:\Windows\system32> puppet agent -v
 Error: Could not request certificate: Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/etc/ssl/private_keys/HOSTNAME.pem


In addition, the cache folder in vardir has broken permissions:


// Error: Transaction store file C:/ProgramData/PuppetLabs/puppet/cache/state/transactionstore.yaml is corrupt (Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/cache/state/transactionstore.yaml); replacing
 Wrapped exception:
 Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/cache/state/transactionstore.yaml```
```Error: Could not send report: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml, C:/ProgramData/PuppetLabs/puppet/cache
 /state/last_run_report.yaml20190206-3632-7u91t6): Access is denied.


Comment by Josh Cooper [ 2019/02/08 ]

FYI, we modified puppet-agent to set manage_internal_file_permissions=false in the MSI. This prevents puppet from trying to manage file permissions, eg translating posix mode to Windows ACL. This is okay, because we've restricted access to the C:\ProgramData\PuppetLabs directory, so non-admins can't read the agent's private key for example. We can probably close this as won't fix, as the issue was resolved in 5.5.x and up.

Comment by Josh Cooper [ 2019/02/08 ]

The issue was fixed in PA-2019, but due to PA-2019, you'll want to ensure you're using puppet-agent 1.10.14, 5.3.8 or 5.5.3 or greater.

Generated at Sun Jul 12 23:18:31 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.