|
It appears that the new code fixes the server/agent use case (which is probably the more important of the two) but has no effect on the masterless use case. It is possible I don't understand the fail scenario. The description shows tracking of these certs in directory ~/.puppetlabs/. My runs generated no such directory. The new directory is in /etc/puppetlabs.
Tested on centos-7 using the head of stable branch (which also includes the fix for
PUP-5416
, puppet lookup command too verbose).
Masterless use case: There appears to be no difference between the fixed and unfixed versions of puppet. In both cases a puppet-apply command or a puppet-lookup will result in new ssl directory containing certs, etc. being created in /etc/puppetlabs/puppet. Below is the result on the "fixed" version.
##### no ssl directory in /etc/puppetlabs/puppet.
|
|
[root@bw7qlcliqg5a9qt ~]# cd /etc/puppetlabs/puppet
|
[root@bw7qlcliqg5a9qt puppet]# ls
|
auth.conf puppet.conf
|
[root@bw7qlcliqg5a9qt puppet]# date
|
Fri Jan 8 12:47:32 PST 2016
|
[root@bw7qlcliqg5a9qt puppet]# puppet lookup data_module::key_in_module
|
--- data_module1-production
|
...
|
|
##### now there is an ssl directory, populated.
|
|
[root@bw7qlcliqg5a9qt puppet]# ls -l
|
total 12
|
-rw-r--r--. 1 root root 4429 Jan 8 12:41 auth.conf
|
-rw-r--r--. 1 root root 457 Jan 8 12:41 puppet.conf
|
drwxrwx--x. 7 root root 96 Jan 8 12:48 ssl
|
[root@qxo2uqh05016syt puppet]# ls -l ssl
|
total 4
|
drwxr-xr-x. 2 root root 56 Jan 8 12:48 certificate_requests
|
drwxr-xr-x. 2 root root 69 Jan 8 12:48 certs
|
-rw-r--r--. 1 root root 995 Jan 8 12:48 crl.pem
|
drwxr-x---. 2 root root 6 Jan 8 12:48 private
|
drwxr-x---. 2 root root 56 Jan 8 12:48 private_keys
|
drwxr-xr-x. 2 root root 56 Jan 8 12:48 public_keys
|
[root@bw7qlcliqg5a9qt puppet]#
|
server/agent use case
Before fix (sha 522532559910c8c3844c941610aad7cfd58c59a5):
[root@wc8kxcjwg4wivjn ~]# find / -name lookup.rb
|
|
######## verified the fixed file is in the old (before fix) state
|
|
[root@wc8kxcjwg4wivjn ~]# vi /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/lookup.rb
|
|
####### Capture the state of the ssl directory before the test.
|
|
[root@wc8kxcjwg4wivjn ~]# find /etc/puppetlabs/puppet/ssl -type f | xargs md5sum > md5s-before
|
|
####### run the lookup command, see the error message.
|
|
[root@wc8kxcjwg4wivjn ~]# puppet lookup puppet4::config
|
Error: Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.
|
Certificate fingerprint: E1:BF:F4:85:E0:AF:B0:C4:E4:4D:E6:0F:A1:E5:70:0A:37:41:07:6A:CF:C7:B3:3C:F0:24:65:70:A3:4F:E1:CD
|
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
|
On the master:
|
puppet cert clean wc8kxcjwg4wivjn.delivery.puppetlabs.net
|
On the agent:
|
1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name wc8kxcjwg4wivjn.delivery.puppetlabs.net.pem -delete
|
1b. On Windows: del "/etc/puppetlabs/puppet/ssl/wc8kxcjwg4wivjn.delivery.puppetlabs.net.pem" /f
|
2. puppet agent -t
|
|
####### Capture the state of the ssl directory after the test.
|
|
[root@wc8kxcjwg4wivjn ~]# find /etc/puppetlabs/puppet/ssl -type f | xargs md5sum > md5s-after
|
|
####### Comparing, discover two additional files.
|
|
[root@wc8kxcjwg4wivjn ~]# diff md5s-*
|
7,8d6
|
< 6f63b10a7dbd0cd6b6ffb8e7eef7b89b /etc/puppetlabs/puppet/ssl/ca/ca_key.pem
|
< 5505dde4af5f449bb12e6a3f85ba20a6 /etc/puppetlabs/puppet/ssl/ca/ca_pub.pem
|
[root@wc8kxcjwg4wivjn ~]#
|
After fix (sha 5ac9fe976772e6321ee45fd7f37555e6bffdaaf9):
PuppetLabs382:~ sgriffin$ ssh root@qxo2uqh05016syt
|
The authenticity of host 'qxo2uqh05016syt (10.32.124.176)' can't be established.
|
RSA key fingerprint is 22:2b:05:7e:a1:86:f5:0e:9b:28:99:a9:ec:df:f1:64.
|
Are you sure you want to continue connecting (yes/no)? yes
|
Warning: Permanently added 'qxo2uqh05016syt,10.32.124.176' (RSA) to the list of known hosts.
|
Last login: Wed Oct 28 10:47:18 2015 from 10.32.128.239
|
set [root@qxo2uqh05016syt ~]# set -o vi
|
[root@qxo2uqh05016syt ~]# cd /etc/puppetlabs/puppet
|
|
##### in the server/agent use case, certificates are already on the system before the test.
|
[root@qxo2uqh05016syt puppet]# ls
|
auth.conf puppet.conf ssl
|
|
|
##### capture the state of the ssl directory (before)
|
|
[root@qxo2uqh05016syt puppet]# find ssl -type f | xargs md5sum > md5s-before
|
|
##### do the lookup
|
|
[root@qxo2uqh05016syt puppet]# puppet lookup puppet4::config
|
|
##### capture the state of the ssl directory again (after)
|
|
[root@qxo2uqh05016syt puppet]# find ssl -type f | xargs md5sum > md5s-after
|
[root@qxo2uqh05016syt puppet]# cat md5s-*
|
7e4dffe11b29d24941615e0a4cd9d7ba ssl/certs/ca.pem
|
28246cbc7cc157eacb9396fb5a4dd632 ssl/certs/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
934e10216f6d3ce98bfbf2784ad2e360 ssl/public_keys/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
2a08fd0680a1fb950448c337df695e3d ssl/certificate_requests/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
d9ceb724bf108d375c0f1011ec7cdbd3 ssl/private_keys/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
0781b44b1a51a57b8786e54af78c8179 ssl/crl.pem
|
|
|
7e4dffe11b29d24941615e0a4cd9d7ba ssl/certs/ca.pem
|
28246cbc7cc157eacb9396fb5a4dd632 ssl/certs/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
934e10216f6d3ce98bfbf2784ad2e360 ssl/public_keys/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
2a08fd0680a1fb950448c337df695e3d ssl/certificate_requests/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
d9ceb724bf108d375c0f1011ec7cdbd3 ssl/private_keys/qxo2uqh05016syt.delivery.puppetlabs.net.pem
|
0781b44b1a51a57b8786e54af78c8179 ssl/crl.pem
|
|
##### no error message, no change in the state of the ssl directory.
|
|
