Bug #2031

waitforcert option documentation is inconsistent with the code.

Added by Paul Lathrop almost 3 years ago. Updated almost 2 years ago.

Status:Closed Start date:02/26/2009
Priority:Normal Due date:
Assignee:James Turnbull % Done:

100%
Category:documentation
Target version:-
Affected Puppet version:0.25.0 Branch:
Keywords:waitforcert
Votes: 0

Description

I was alerted to this issue by the discussion at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509566

The documentation in puppetd —help says:

waitforcert:  This option only matters for daemons that do not yet have
              certificates and it is enabled by default, with a value of
              120 (seconds). This causes +puppetd+ to connect to the
              server every 2 minutes and ask it to sign a certificate
              request. This is useful for the initial setup of a puppet
              client. You can turn off waiting for certificates by
              specifying a time of 0.

However, this is inconsistent with the code in source:lib/puppet/executables/client/certhandler.rb which says:

                def retrieve_cert
                    caclient = Puppet::Network::Client.ca.new()

                    while true do
                       begin
                           if caclient.request_cert 
                               break if read_new_cert
                           else
                               Puppet.notice "Did not receive certificate"
                               if @one_time 
                                   Puppet.notice "Set to run 'one time'; exiting with no certificate"
                                   exit(1)
                               end
                           end
                       rescue StandardError => detail
                          Puppet.err "Could not request certificate: %s" % detail.to_s
                          exit(23) if @one_time
                       end

                       sleep @wait_for_cert 
                    end
                end

Related issues

related to Puppet - Bug #2700: waitforcert is ignored with --test Closed 10/06/2009

History

#1
Updated by Bart Cortooms almost 3 years ago

For reference: #1689 is the same issue

#2
Updated by Paul Lathrop almost 3 years ago

  • Status changed from Accepted to Ready For Checkin
  • Assignee changed from Paul Lathrop to James Turnbull
  • % Done changed from 0 to 100

Fixed as of http://github.com/plathrop/puppet/commit/3e7fcb1e3f7c942d26ed356f0f7c2f20f2f29cd1

Patch submitted to list for review.

#3
Updated by Paul Lathrop almost 3 years ago

  • Status changed from Ready For Checkin to Tests Insufficient
  • Assignee changed from James Turnbull to Paul Lathrop
  • % Done changed from 100 to 90

#4
Updated by Paul Lathrop almost 3 years ago

  • Status changed from Tests Insufficient to Ready For Checkin
  • Assignee changed from Paul Lathrop to James Turnbull
  • % Done changed from 90 to 100

Fixed without the dumb typo at: http://github.com/plathrop/puppet/commit/07a3164a42707179ad63431e3c7a62555fd6f9a3

Patch re-submitted for comment.

#5
Updated by Paul Lathrop almost 3 years ago

  • Status changed from Ready For Checkin to Tests Insufficient
  • Assignee changed from James Turnbull to Paul Lathrop

Wow I suck. Back to me to get rid of the unnecessary whitespace changes.

#6
Updated by Paul Lathrop almost 3 years ago

  • Status changed from Tests Insufficient to Ready For Checkin
  • Assignee changed from Paul Lathrop to James Turnbull

Now it is really truly ready. The patch on the list still has the whitespace changes in it; if you prefer to leave those out, use commit fcdd9e68cd06cd007e3fbc618a87b4d746035d13 from git://github.com/plathrop/puppet.git

#7
Updated by James Turnbull almost 3 years ago

  • Status changed from Ready For Checkin to Closed

Pushed in commit:c052ff881e4a0cf6edfe4c1974597cd3abb378cf in branch 0.24.x

#8
Updated by Mikhail T. over 2 years ago

  • Status changed from Closed to Re-opened
  • Target version deleted (0.24.8)
  • Affected Puppet version changed from 0.24.7 to 0.25.0
  • Keywords set to waitforcert

I’m afraid, the handling of waitforcert is still messed up… Trying to get puppetd to come up and wait certificate-signing fails whatever is in the waitforcert argument:

mi@client:/ (165) time ~mteterin/sbin/puppetd —server server —waitforcert 121 —test warning: peer certificate won’t be verified in this SSL session warning: peer certificate won’t be verified in this SSL session warning: peer certificate won’t be verified in this SSL session Exiting; no certificate found and waitforcert is disabled 2.802u 0.781s 0:05.10 70.1% 0+0k 0+0io 0pf+0w

identical output to:

mi@client:/ (166) time ~mteterin/sbin/puppetd —server server —waitforcert 0 —test warning: peer certificate won’t be verified in this SSL session warning: peer certificate won’t be verified in this SSL session warning: peer certificate won’t be verified in this SSL session Exiting; no certificate found and waitforcert is disabled 2.831u 0.779s 0:05.10 70.5% 0+0k 0+0io 0pf+0w

And if I am doing something wrong, puppetd is not helping me figure it out…

#9
Updated by Mikhail T. over 2 years ago

Ok, the explicitly-specified waitforcert value is being clobbered by the setup_test procedure in application/puppetd.rb

Why does —test have to imply —waitforcert 0? This is not, what the "Installation Guide":http://reductivelabs.com/trac/puppet/wiki/InstallationGuide#VerifyingInstallation teaches… Perhaps, setup_test should be patched as follows:

@@@ -126,5 +127,5 @@
         options[:verbose] = true
         options[:onetime] = true
-        options[:waitforcert] = 0
+        options[:waitforcert] = 0 unless @explicit_waitforcert
     end

@

#10
Updated by Luke Kanies over 2 years ago

You’re right, but that’s a separate (albeit small) bug. I’ll open a new one.

#11
Updated by Luke Kanies over 2 years ago

  • Status changed from Re-opened to Closed

Also available in: Atom PDF