[Puppet-bugs] Re: [puppet] #1190: Puppetd exits if it receives a bad certificate

[puppet]

#1190: Puppetd exits if it receives a bad certificate
--------------------+-------------------------------------------------------
 Reporter:  init    |        Owner:  jamtur01       
     Type:  defect  |       Status:  assigned       
 Priority:  normal  |    Milestone:                 
Component:  client  |      Version:  0.24.4         
 Severity:  normal  |   Resolution:                 
 Keywords:          |        Stage:  Needs more info
    Patch:  None    |   Complexity:  Unknown        
--------------------+-------------------------------------------------------
Comment (by init):

 A bad certificate is an old signed client certificate for a host. It is
 generated in the following way:

 1. Install the host system including a puppet client

 2. When the puppet client starts, it generates a key pair and sends a
 certificate signing request (CSR) to the puppet master

 3. On the puppet master, sign the CSR with 'puppetca -s [host-fqdn]'

 4. The client receives the signed certificate and puppet begins its
 processing

 5. Reinstall the client system including the puppet client

 6. The puppet client generates a key pair and sends a CSR to the puppet
 master

 7. The puppet master rejects the CSR since it already has a signed
 certificate for this host

 8. Upon receiving the rejection, the puppet client exits

 This is in my opinion undesirable behavior. The puppet client should wait
 a few minutes and try again, not just quit.

 There is also another related problem which I found after filing the above
 report. If you skip step 3, the new CSR sent by the client after the
 reinstall is ignored by the puppet master, and only the first (and now
 stale) CSR is kept. When you sign the CSR listed for your client hostname
 after step 6 above, the stale CSR is signed and the client exits due to
 its new CSR being suddenly rejected. Trying to preempt this problem by
 clearing the old CSR on the master fails since it only clears signed
 certificates, not CSRs.

 I will put trace output in a later report, when I next bump into the
 problem.

-- 
Ticket URL: <http://reductivelabs.com/trac/puppet/ticket/1190#comment:2>
puppet <http://reductivelabs.com>
Puppet - Portable System Automation
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---