[Puppet - Bug #7109] (Needs Decision) Agent retrieving a cert with an already used certname gets error

[tickets]

Issue #7109 has been reported by Matt Robinson.

----------------------------------------
Bug #7109: Agent retrieving a cert with an already used certname gets error
https://projects.puppetlabs.com/issues/7109

Author: Matt Robinson
Status: Needs Decision
Priority: Normal
Assignee: 
Category: 
Target version: 
Affected Puppet version: 
Keywords: 
Branch: 


If agent 'foo' already has already received a signed cert back from the Puppet 
CA, and then a second agent asks for a cert with the certname 'foo' you get the 
following:

    /Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:166:in 
`certificate'
    /Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:227:in 
`wait_for_cert'
    /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:194:in 
`setup_host'
    /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:259:in 
`setup'
    /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
    /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:420:in `hook'
    /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
    /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:411:in 
`exit_on_fail'
    /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
    /Users/matthewrobinson/work/puppet/sbin/puppetd:4
    err: Could not request certificate: Retrieved certificate does not match 
private key; please remove certificate from
     server and regenerate it with the current key

However, if you manually generate certificate request using either  the new 
face 'puppet certificate generate `hostname` --ca-location remote --server 
Name_of_Puppet_Master' or curl (haven't actually tested with curl, but it's 
basically the same as the face), you're allowed to make a new CSR with the same 
name as a cert that's already signed.

The question here seems to be, should the agent be fixed to allow this kind of 
behavior since it's possible with more manual means? 


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.