Bug #2028
Puppetd fails poorly when a client certificate but no key is found
| Status: | Closed | Start: | 02/26/2009 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: |  Luke Kanies |
% Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 0.25.0 | |||
| Affected version: | 0.25.0 | Branch: | ||
| Keywords: | ssl cert master | |||
| Votes: | 0 |
Description
With the latest master HEAD, and a new client, I constantly get some issues with certs.
Steps to reproduce:
- launch the master with a complete new vardir:
ruby bin/puppetmasterd --debug --trace --no-daemonize --confdir /tmp/master --vardir /tmp/master --user brice --group brice
- launch the client with a complete new vardir
ruby bin/puppetd --test --trace --confdir /tmp/client --vardir --fqdn client /tmp/client
It creates the ssl dir, and ask for a signed cert
- sign the cert
puppetca --confdir /tmp/master --vardir /tmp/master --sign client
- Launch the client again to fetch its config, and you’ll get the stack trace
/Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:60:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:199:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/ssl/host.rb:214:in `ssl_store' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:56:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:189:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/configurer/fact_handler.rb:22:in `upload_facts' /Users/brice/devl/puppet/lib/puppet/configurer.rb:79:in `prepare' /Users/brice/devl/puppet/lib/puppet/configurer.rb:127:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent/locker.rb:21:in `lock' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /opt/local/lib/ruby/1.8/sync.rb:229:in `synchronize' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:130:in `with_client' /Users/brice/devl/puppet/lib/puppet/agent.rb:51:in `run' /Users/brice/devl/puppet/lib/puppet/application/puppetd.rb:103:in `onetime' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `send' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `run_command' /Users/brice/devl/puppet/lib/puppet/application.rb:217:in `run' bin/puppetd:159 err: Could not retrieve local facts: undefined method `content' for nil:NilClass /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:60:in `cert_setup' /Users/brice/devl/puppet/lib/puppet/network/http_pool.rb:104:in `http_instance' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:61:in `network' /Users/brice/devl/puppet/lib/puppet/indirector/rest.rb:65:in `find' /Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:199:in `find' /Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find' /Users/brice/devl/puppet/lib/puppet/configurer.rb:91:in `retrieve_catalog' /Users/brice/devl/puppet/lib/puppet/util.rb:425:in `thinmark' /opt/local/lib/ruby/gems/1.8/gems/activesupport-2.2.2/lib/active_support/core_ext/benchmark.rb:8:in `realtime' /Users/brice/devl/puppet/lib/puppet/util.rb:424:in `thinmark' /Users/brice/devl/puppet/lib/puppet/configurer.rb:90:in `retrieve_catalog' /Users/brice/devl/puppet/lib/puppet/configurer.rb:129:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent/locker.rb:21:in `lock' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /opt/local/lib/ruby/1.8/sync.rb:229:in `synchronize' /Users/brice/devl/puppet/lib/puppet/agent.rb:53:in `run' /Users/brice/devl/puppet/lib/puppet/agent.rb:130:in `with_client' /Users/brice/devl/puppet/lib/puppet/agent.rb:51:in `run' /Users/brice/devl/puppet/lib/puppet/application/puppetd.rb:103:in `onetime' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `send' /Users/brice/devl/puppet/lib/puppet/application.rb:226:in `run_command' /Users/brice/devl/puppet/lib/puppet/application.rb:217:in `run' bin/puppetd:159 err: Could not retrieve catalog from remote server: undefined method `content' for nil:NilClass err: Could not retrieve catalog; skipping run
Associated revisions
Revision 09bee9137d7a6415609a8abfdf727ee0361139e0
Fixing #2028 – Better failures when a cert is found with no key
The problem was that the server had a certificate for the client. Initially the client just didn’t have a key, because it assumed that if it had a certificate then it had a key. Upon fixing it to create the key, the key then did not match the found certificate.
This commit fixes both of those: The key is always found before the certificate, and when the certificate is found it’s verified against the private key and an exception is thrown if they don’t match.
It’s always a failure, so this just makes the failure more informative.
Signed-off-by: Luke Kanies luke@madstop.com
History
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Accepted
Updated by Luke Kanies over 1 year ago
- Subject changed from Impossible to start puppetd with current master to Puppetd fails poorly when a client certificate but no key is found
The problem here is when a certificate for the client exists on the server but the client does not have a key, which is what you’re doing when you start two processes on the same machine with different configuration directories.
If you modify the second process’s certname you get the right behaviour.
Nonetheless, this is a bug.
Updated by Luke Kanies over 1 year ago
- Status changed from Accepted to Ready for Checkin
Fixed in the tickets/master/2028 branch in my repo.
Updated by James Turnbull over 1 year ago
- Status changed from Ready for Checkin to Closed
Pushed in commit:“09bee9137d7a6415609a8abfdf727ee0361139e0” in branch master.