Bug #2028
Puppetd fails poorly when a client certificate but no key is found
| Status: | Closed | Start date: | 02/26/2009 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: |  Luke Kanies |
% Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 0.25.0 | |||
| Affected Puppet version: | 0.25.0 | Branch: | ||
| Keywords: | ssl cert master | |||
| Votes: | 0 |
Description
With the latest master HEAD, and a new client, I constantly get some issues with certs.
Steps to reproduce:
- launch the master with a complete new vardir:
ruby bin/puppetmasterd --debug --trace --no-daemonize --confdir /tmp/master --vardir /tmp/master --user brice --group brice
- launch the client with a complete new vardir
ruby bin/puppetd --test --trace --confdir /tmp/client --vardir --fqdn client /tmp/client
It creates the ssl dir, and ask for a signed cert
- sign the cert
puppetca --confdir /tmp/master --vardir /tmp/master --sign client
- Launch the client again to fetch its config, and you’ll get the stack trace
/Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:60:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:199:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/ssl/host.rb:214:in `ssl_store' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:56:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:189:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/configurer/fact_handler.rb:22:in `upload_facts' /Users/brice/devl/puppet/lib/puppet/configurer.rb:79:in `prepare' /Users/brice/devl/puppet/lib/puppet/configurer.rb:127:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent/locker.rb:21:in `lock' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /opt/local/lib/ruby/1.8/sync.rb:229:in `synchronize' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:130:in `with_client' /Users/brice/devl/puppet/lib/puppet/agent.rb:51:in `run' /Users/brice/devl/puppet/lib/puppet/application/puppetd.rb:103:in `onetime' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `send' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `run_command' /Users/brice/devl/puppet/lib/puppet/application.rb:217:in `run' bin/puppetd:159 err: Could not retrieve local facts: undefined method `content' for nil:NilClass /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:60:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:199:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/configurer.rb:91:in `retrieve_catalog' /Users/brice/devl/puppet/lib/puppet/util.rb:425:in `thinmark' /opt/local/lib/ruby/gems/1.8/gems/activesupport-2.2.2/lib/active_support/core_ext/benchmark.rb:8:in `realtime' /Users/brice/devl/puppet/lib/puppet/util.rb:424:in `thinmark' /Users/brice/devl/puppet/lib/puppet/configurer.rb:90:in `retrieve_catalog' /Users/brice/devl/puppet/lib/puppet/configurer.rb:129:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent/locker.rb:21:in `lock' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /opt/local/lib/ruby/1.8/sync.rb:229:in `synchronize' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:130:in `with_client' /Users/brice/devl/puppet/lib/puppet/agent.rb:51:in `run' /Users/brice/devl/puppet/lib/puppet/application/puppetd.rb:103:in `onetime' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `send' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `run_command' /Users/brice/devl/puppet/lib/puppet/application.rb:217:in `run' bin/puppetd:159 err: Could not retrieve catalog from remote server: undefined method `content' for nil:NilClass err: Could not retrieve catalog; skipping run
History
Updated by James Turnbull almost 3 years ago
- Status changed from Unreviewed to Accepted
Updated by Luke Kanies almost 3 years ago
- Subject changed from Impossible to start puppetd with current master to Puppetd fails poorly when a client certificate but no key is found
The problem here is when a certificate for the client exists on the server but the client does not have a key, which is what you’re doing when you start two processes on the same machine with different configuration directories.
If you modify the second process’s certname you get the right behaviour.
Nonetheless, this is a bug.
Updated by Luke Kanies almost 3 years ago
- Status changed from Accepted to Ready For Checkin
Fixed in the tickets/master/2028 branch in my repo.
Updated by James Turnbull almost 3 years ago
- Status changed from Ready For Checkin to Closed
Pushed in commit:09bee9137d7a6415609a8abfdf727ee0361139e0 in branch master.