Bug #4680
agent will never resend a certificate request, preventing it from connecting to the master, even if the master is in autosign mode
| Status: | Accepted | Start date: | 09/01/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | 0.25.5 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
Problem:
Client should transfer certificate request, master should autosign it.
Current behaviour:
Master outputs info: Could not find certificate for ‘ikr31.ethz.ch’ Client outputs
warning: peer certificate won’t be verified in this SSL session notice: Did not receive certificate
But there’s no csr on the master. Tried with and without the new auth.conf.
Details:
Client:
root@ikr31:~# puppet --version 0.25.4 root@ikr31:~# puppetd --server puppet.inf.ethz.ch --test --ca_port 19400 --debug --color no --waitforcert 2 debug: Failed to load library 'selinux' for feature 'selinux' debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/ikr31.ethz.ch.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/run/puppet/puppetd.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/ikr31.ethz.ch.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 69844402770620 with 0 changes debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate_request for ikr31.ethz.ch, good until debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate ^CCancelling startup
Master: [10:38] sans:~# /usr/bin/puppet master --servertype=webrick --masterport=19400 --debug --no-daemonize --color false --trace warning: You have configuration parameter $ssl_client_header specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] warning: You have configuration parameter $templatedir specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] warning: You have configuration parameter $modulepath specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] debug: Failed to load library 'selinux' for feature 'selinux' debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing debug: /File[/var/lib/puppetmaster/ssl/public_keys/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/public_keys] debug: /File[/var/lib/puppetmaster/ssl/certs]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/reports]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/lib]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/ssl/certificate_requests]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/server_data]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/certs/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/certs] debug: /File[/var/lib/puppetmaster/ssl]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/lib/puppetmaster/ssl/public_keys]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/yaml]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/private_keys/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/private_keys] debug: /File[/var/lib/puppetmaster/bucket]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/rrd]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/state]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/facts]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/private]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/ssl/private_keys]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/puppet/manifests] debug: /File[/var/lib/puppetmaster/ssl/crl.pem]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/certs] debug: Finishing transaction 70355901938100 debug: /File[/var/lib/puppetmaster/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppetmaster/ssl/ca/private] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/signed]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/private]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/serial]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/requests]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: Finishing transaction 70355900300400 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for sans.ethz.ch notice: Starting Puppet master version 2.6.0 err: Removing mount files: /etc/puppet/files does not exist info: mount[files]: allowing 129.132.12.0/24 access [... many more permissions allowed...] debug: No modules mount given; autocreating with default permissions debug: Finishing transaction 70355918274780 info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/file'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate_revocation_list/ca'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/report'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate/ca'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate/'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate_request'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/status'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/resource'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Could not find certificate for 'ikr31.ethz.ch'
Related issues
History
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Needs More Information
What OS is this? How did you install 2.6.0? Can you try 2.6.1?
Updated by James Turnbull over 1 year ago
- Affected Puppet version set to 2.6.0
Updated by Jesse Wolfe over 1 year ago
- Subject changed from No certificates submitted after upgrade to 2.6.0 (from 0.25.4) to agent will never resend a certificate request, preventing it from connecting to the master, even if the master is in autosign mode
- Status changed from Needs More Information to Accepted
- Target version set to 2.7.x
- Affected Puppet version changed from 2.6.0 to 0.25.5
I’ve verified this bug in 0.25.5 and 2.6.1 : If a client has ever sent a certificate request to a master, it will cache that request in $confdir/ssl/certificate_requests/$hostname , and will not send that request to a new master. Even if the master is in autosign mode, the agent will not successfully connect, as the master cannot sign the agent without a certificate request.
The workaround is to delete /etc/puppet/ssl/certificate_requests/*.pem from machines that are failing to connect in this way.