Issue #2723 has been updated by Markus Roberts. Status changed from Unreviewed to Rejected
This has already been addressed in 25.0 and appears to work; if anyone has an example of this failing in 25.0 or later, please report it. ---------------------------------------- Bug #2723: Puppet chokes on hostname in autosign.conf http://projects.reductivelabs.com/issues/2723 Author: Jason Antman Status: Rejected Priority: Normal Assigned to: Category: Target version: Affected version: 0.24.8 Keywords: autosign ca puppetca certificate hostname Branch: <p>Puppet appears to choke (well, deny the client) when autosign.conf contains a line that is just a hostname (not FQDN). </p> <p>puppetmasterd log (--debug --trace)</p> <pre> info: Listening on port 8140 notice: Starting Puppet server version 0.24.8 notice: Allowing unauthenticated client ccf-hill019-12.example.com(172.x.x.x) access to puppetca.getcert /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:289:in `parse' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:170:in `pattern=' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:151:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:80:in `new' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:80:in `store' /usr/lib/ruby/site_ruby/1.8/puppet/network/authstore.rb:20:in `allow' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:54:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:51:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:51:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:50:in `open' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:50:in `autosign?' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/ca.rb:112:in `getcert' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `to_proc' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor' /usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `call' /usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `dispatch' /usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `each' /usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `dispatch' /usr/lib/ruby/1.8/xmlrpc/server.rb:366:in `call_method' /usr/lib/ruby/1.8/xmlrpc/server.rb:378:in `handle' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process' /usr/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb:68:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:293:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:144:in `newthread' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `new' /usr/lib/ruby/site_ruby/1.8/puppet.rb:143:in `newthread' /usr/lib/ruby/site_ruby/1.8/puppet.rb:291:in `start' /usr/lib/ruby/site_ruby/1.8/puppet.rb:290:in `each' /usr/lib/ruby/site_ruby/1.8/puppet.rb:290:in `start' /usr/sbin/puppetmasterd:285 err: Invalid pattern css-storemanager </pre> <p>puppetd error:</p> <pre> err: Could not request certificate: Certificate retrieval failed: Invalid pattern css-storemanager </pre> <p>At the bottom of my autosign.conf were the following lines:</p> <pre> css-storemanager css-storemanager.example.com </pre> <p>As per the trace, the issue appears to be in puppet/network/authstore.rb in the parse() function which begins on line 242 in 0.24.8. This function has when blocks for a value matching an ip address with an "*" at the end, a full hostname, or "*.domain.com". The else block uses the IPAddr class and if not matched, returns the "Invalid pattern" error. There is nothing here to catch a value that is just a hostname (i.e. a string that both doesn't match an IP address and doesn't match *.example.tld).</p> <p>Unfortunately I'm still running 0.24.8, can't test 0.25, and can't seem to find any previous tickets for this.</p> <p>My suggestions (I'm not knowledgeable with Ruby at all, but maybe give me a few weeks...):</p> <ul> <li>Add a better admonishment in the docs about the need to use FQDNs where the term "hostname" is used.</li> <li>Either add a way to catch just hostnames in the parse() function, or make the error message slightly more verbose (perhaps "Invalid pattern %s found in autosign.conf - maybe not an IP or FQDN?". The key piece that was missing from the error message, which took me a while to find, was <em>where</em> the invalid pattern was found.</li> </ul> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
