[Puppet - Bug #4680] (In Topic Branch Pending Review) agent will never resend a certificate request, preventing it from connecting to the master, even if the master is in autosign mode

[tickets]

Issue #4680 has been updated by Daniel Pittman.

Status changed from Accepted to In Topic Branch Pending Review
Branch set to https://github.com/puppetlabs/puppet/pull/1117

https://github.com/puppetlabs/puppet/pull/1117 contains what I consider to be 
the "most reasonable" fix to this problem.

It modifies the master to explicitly reject CA operations over the network when 
configured with `ca = false`.  That, in turn, causes the agent to explicitly 
and clearly fail when talking to a master that will ignore the CSR submission.

We can't actually change the agent to resubmit at this point: it already does 
so if you keep it running, waiting for a certificate, but between process runs 
requires state on both the agent *and* on the CA that we don't maintain, and 
that is surprisingly hard to get right.

The failure is that we have no record of "this CSR is not acceptable" on the CA 
- so, if we get the CSR to it, and the admin deletes it, the agent can't tell 
if this was (a) transmission failure, or (b) user action.  Without that 
knowledge we end up endlessly resubmitting the same bad request, and making the 
life of the CA admin hell.
----------------------------------------
Bug #4680: agent will never resend a certificate request, preventing it from 
connecting to the master, even if the master is in autosign mode
https://projects.puppetlabs.com/issues/4680#change-70651

Author: Nico Schottelius
Status: In Topic Branch Pending Review
Priority: High
Assignee: eric sorenson
Category: SSL
Target version: 2.7.x
Affected Puppet version: 0.25.5
Keywords: 
Branch: https://github.com/puppetlabs/puppet/pull/1117


Problem:

Client should transfer certificate request, master should autosign it.

Current behaviour:

Master outputs info: Could not find certificate for 'ikr31.ethz.ch'
Client outputs

warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate

But there's no csr on the master. Tried with and without the new auth.conf.

Details:

Client:

<pre>
root@ikr31:~# puppet --version
0.25.4
root@ikr31:~# puppetd --server puppet.inf.ethz.ch --test  --ca_port 19400 
--debug --color no --waitforcert 2
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does 
not exist
debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Failed to load library 'ldap' for feature 'ldap'
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring 
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys/ikr31.ethz.ch.pem]: Autorequiring 
File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring 
File[/var/lib/puppet/state]
debug: /File[/var/run/puppet/puppetd.pid]: Autorequiring File[/var/run/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys/ikr31.ethz.ch.pem]: Autorequiring 
File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: Finishing transaction 69844402770620 with 0 changes
debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate_request for ikr31.ethz.ch, good until 
debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
^CCancelling startup
</pre>

<pre>
Master:

[10:38] sans:~# /usr/bin/puppet master --servertype=webrick --masterport=19400 
--debug --no-daemonize --color false --trace
warning: You have configuration parameter $ssl_client_header specified in 
[puppetmasterd], which is a deprecated section. I'm assuming you meant [master]
warning: You have configuration parameter $templatedir specified in 
[puppetmasterd], which is a deprecated section. I'm assuming you meant [master]
warning: You have configuration parameter $modulepath specified in 
[puppetmasterd], which is a deprecated section. I'm assuming you meant [master]
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does 
not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows 
is missing
debug: /File[/var/lib/puppetmaster/ssl/public_keys/sans.ethz.ch.pem]: 
Autorequiring File[/var/lib/puppetmaster/ssl/public_keys]
debug: /File[/var/lib/puppetmaster/ssl/certs]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/var/lib/puppetmaster/reports]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/lib/puppetmaster/lib]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppetmaster/ssl/certificate_requests]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/var/lib/puppetmaster/server_data]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/lib/puppetmaster/ssl/certs/sans.ethz.ch.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/certs]
debug: /File[/var/lib/puppetmaster/ssl]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring 
File[/var/log/puppet]
debug: /File[/var/lib/puppetmaster/ssl/public_keys]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/var/lib/puppetmaster/yaml]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/lib/puppetmaster/ssl/private_keys/sans.ethz.ch.pem]: 
Autorequiring File[/var/lib/puppetmaster/ssl/private_keys]
debug: /File[/var/lib/puppetmaster/bucket]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppetmaster/rrd]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppetmaster/state]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/lib/puppetmaster/facts]: Autorequiring 
File[/var/lib/puppetmaster]
debug: /File[/var/lib/puppetmaster/ssl/private]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/var/lib/puppetmaster/ssl/private_keys]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring 
File[/etc/puppet/manifests]
debug: /File[/var/lib/puppetmaster/ssl/crl.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl]
debug: /File[/var/lib/puppetmaster/ssl/certs/ca.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/certs]
debug: Finishing transaction 70355901938100
debug: /File[/var/lib/puppetmaster/ssl/ca/inventory.txt]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/ca_pub.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/private/ca.pass]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca/private]
debug: /File[/var/lib/puppetmaster/ssl/ca/ca_key.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/signed]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/private]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/serial]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crt.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crl.pem]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: /File[/var/lib/puppetmaster/ssl/ca/requests]: Autorequiring 
File[/var/lib/puppetmaster/ssl/ca]
debug: Finishing transaction 70355900300400
debug: Using cached certificate for ca
debug: Using cached certificate for ca
debug: Using cached certificate for sans.ethz.ch
notice: Starting Puppet master version 2.6.0
err: Removing mount files: /etc/puppet/files does not exist
info: mount[files]: allowing 129.132.12.0/24 access
[... many more permissions allowed...]
debug: No modules mount given; autocreating with default permissions
debug: Finishing transaction 70355918274780
info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because 
/etc/puppet/auth.conf doesn't exist
info: Inserting default '/file'(non-auth) acl because /etc/puppet/auth.conf 
doesn't exist
info: Inserting default '/certificate_revocation_list/ca'(auth) acl because 
/etc/puppet/auth.conf doesn't exist
info: Inserting default '/report'(auth) acl because /etc/puppet/auth.conf 
doesn't exist
info: Inserting default '/certificate/ca'(non-auth) acl because 
/etc/puppet/auth.conf doesn't exist
info: Inserting default '/certificate/'(non-auth) acl because 
/etc/puppet/auth.conf doesn't exist
info: Inserting default '/certificate_request'(non-auth) acl because 
/etc/puppet/auth.conf doesn't exist
info: Inserting default '/status'(auth) acl because /etc/puppet/auth.conf 
doesn't exist
info: Inserting default '/resource'(auth) acl because /etc/puppet/auth.conf 
doesn't exist
info: Could not find certificate for 'ikr31.ethz.ch'
</pre>




-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.