Issue #2890 has been updated by Luke Kanies.
Peter Meier wrote: > > It doesn't include Peter's "keep the old behaviour" option, in part because > > I'm not seeing how that would play out in practice. If desired, it could > > be as simple as a one line change to lib/puppet/sslcertificates/ca.rb > > (making the removal conditional on the flag) and the usual setup for flags > > in defaults, etc. > > hmm yeah maybe it isn't worth to do it, as there isn't really any possible > harm nor could any nasty things come up with the destructive way, couldn't it? Correct, no harm can come. I say this is a YAGNI feature, and we shouldn't implement it until someone specifically asks for it. ---------------------------------------- Bug #2890: Puppetd: signed certificate retrieval "Retrieved certificate does not match private key" http://projects.reductivelabs.com/issues/2890 Author: Silviu Paragina Status: Ready for Testing Priority: Low Assigned to: Markus Roberts Category: SSL Target version: 0.25.2 Affected version: 0.25.1 Keywords: Branch: http://github.com/MarkusQ/puppet/tree/ticket/0.25.x/2890 Install a new client let's call it client1 Steps: 1. run puppetd --test on client 2. run puppetca --sign client1 on server 3. run rm -rf /var/lib/puppet/ssl on the client (equivalent with reinstalling the os on the client) 4. run puppetd --test on the client Now you will get as expected the "Retrieved certificate does not match private key" error. But the certificate the server gave is stored in /var/lib/puppet/ssl/certs and puppetd will try to use it on future runs To prove that do this 2 final steps 5. run puppetca --clean client1 6. puppetd --test if you analyze this run you will notice that the client does not even contact the server, it just loads the local certificates and bails out because the private/public key pair doesn't match. Workaround: delete /var/lib/puppet/ssl/cers/client1.pem from the client (or the equivalent file) I think the client shouldn't store the certificate received from the server unless it matches. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
