Bug #2723
Puppet chokes on hostname in autosign.conf
| Status: | Rejected | Start: | 10/14/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Affected version: | 0.24.8 | Branch: | ||
| Keywords: | autosign ca puppetca certificate hostname | |||
| Votes: | 0 |
Description
Puppet appears to choke (well, deny the client) when autosign.conf contains a line that is just a hostname (not FQDN).
puppetmasterd log (--debug --trace)
info: Listening on port 8140 notice: Starting Puppet server version 0.24.8 notice: Allowing unauthenticated client ccf-hill019-12.example.com(172.x.x.x) access to puppetca.getcert /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:289:in `parse' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:170:in `pattern=' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:151:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:80:in `new' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:80:in `store' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:20:in `allow' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:54:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:51:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:51:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:50:in `open' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:50:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:112:in `getcert' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `to_proc' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor' /usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `call' /usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `dispatch' /usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `each' /usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `dispatch' /usr/lib/ruby/1.8/xmlrpc/server.rb:366:in `call_method' /usr/lib/ruby/1.8/xmlrpc/server.rb:378:in `handle' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb:68:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:293:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:144:in `newthread' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `new' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `newthread' /usr/lib/ruby/site_ruby/1.8/puppet.rb:291:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:290:in `each' /usr/lib/ruby/site_ruby/1.8/puppet.rb:290:in `start' /usr/sbin/puppetmasterd:285 err: Invalid pattern css-storemanager
puppetd error:
err: Could not request certificate: Certificate retrieval failed: Invalid pattern css-storemanager
At the bottom of my autosign.conf were the following lines:
css-storemanager css-storemanager.example.com
As per the trace, the issue appears to be in puppet/network/authstore.rb in the parse() function which begins on line 242 in 0.24.8. This function has when blocks for a value matching an ip address with an "*" at the end, a full hostname, or "*.domain.com". The else block uses the IPAddr class and if not matched, returns the "Invalid pattern" error. There is nothing here to catch a value that is just a hostname (i.e. a string that both doesn't match an IP address and doesn't match *.example.tld).
Unfortunately I'm still running 0.24.8, can't test 0.25, and can't seem to find any previous tickets for this.
My suggestions (I'm not knowledgeable with Ruby at all, but maybe give me a few weeks...):
- Add a better admonishment in the docs about the need to use FQDNs where the term "hostname" is used.
- Either add a way to catch just hostnames in the parse() function, or make the error message slightly more verbose (perhaps "Invalid pattern %s found in autosign.conf - maybe not an IP or FQDN?". The key piece that was missing from the error message, which took me a while to find, was where the invalid pattern was found.
History
Updated by Jason Antman 10 months ago
Sorry about the HTML markup…
Updated by Markus Roberts 10 months ago
- Status changed from Unreviewed to Rejected
This has already been addressed in 25.0 and appears to work; if anyone has an example of this failing in 25.0 or later, please report it.