Issue #6112 has been updated by Charlie Sharpsteen. Category changed from logging to SSL Status changed from Investigating to Accepted Assignee deleted (Charlie Sharpsteen) Keywords changed from error cert generate customer to error cert_generate autosign customer
Autosigning is a very likely culprit: <pre> [root@puppetmaster ~]# rm -rf /var/lib/puppet/ssl [root@puppetmaster ~]# puppet cert generate puppetagent.boxnet Notice: Signed certificate request for ca Notice: Rebuilding inventory file Notice: puppetagent.boxnet has a waiting certificate request Notice: Signed certificate request for puppetagent.boxnet Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/ca/requests/puppetagent.boxnet.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/certificate_requests/puppetagent.boxnet.pem' [root@puppetmaster ~]# puppet cert clean puppetagent.boxnet Notice: Revoked certificate with serial 2 Notice: Removing file Puppet::SSL::Certificate puppetagent.boxnet at '/var/lib/puppet/ssl/ca/signed/puppetagent.boxnet.pem' Notice: Removing file Puppet::SSL::Certificate puppetagent.boxnet at '/var/lib/puppet/ssl/certs/puppetagent.boxnet.pem' Notice: Removing file Puppet::SSL::Key puppetagent.boxnet at '/var/lib/puppet/ssl/private_keys/puppetagent.boxnet.pem' [root@puppetmaster ~]# echo 'puppetagent.boxnet' > /etc/puppet/autosign.conf [root@puppetmaster ~]# puppet cert generate puppetagent.boxnet Notice: puppetagent.boxnet has a waiting certificate request Notice: Signed certificate request for puppetagent.boxnet Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/ca/requests/puppetagent.boxnet.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at '/var/lib/puppet/ssl/certificate_requests/puppetagent.boxnet.pem' Error: Could not find certificate request for puppetagent.boxnet </pre> When using `puppet cert generate`, Puppet first [generates a certificate request](https://github.com/puppetlabs/puppet/blob/3.1.1/lib/puppet/ssl/certificate_authority.rb#L139) and then [signs it](https://github.com/puppetlabs/puppet/blob/3.1.1/lib/puppet/ssl/certificate_authority.rb#L140). During the generation step, the save method of the CertificateRequest class is called which [triggers autosigning](https://github.com/puppetlabs/puppet/blob/3.1.1/lib/puppet/ssl/certificate_request.rb#L12-L19). To summarize: * Certificate generation should take auto signing into account. * It appears autosigning doesn't consult the dns_alt_names parameter. * We should probably log an info or debug message whenever a cert is autosigned so this behavior is easier to detect in the future. ---------------------------------------- Bug #6112: Puppet cert generate error message when it succeeds https://projects.puppetlabs.com/issues/6112#change-91329 * Author: Jeff McCune * Status: Accepted * Priority: Normal * Assignee: * Category: SSL * Target version: * Affected Puppet version: development * Keywords: error cert_generate autosign customer * Branch: ---------------------------------------- ## Overview ## Running puppet cert in 2.6.next f135a64 performs the desired certificate generation, but displays a nasty error message int he process. ## Steps to reproduce ## $ puppet cert --confdir ~/.puppet/conf_enc --generate foo.bar.baz --certdnsnames foo:foo.bar.baz:puppet notice: foo.bar.baz has a waiting certificate request notice: Signed certificate request for foo.bar.baz notice: Removing file Puppet::SSL::CertificateRequest foo.bar.baz at '/Users/jeff/.puppet/var/ssl/ca/requests/foo.bar.baz.pem' notice: Removing file Puppet::SSL::CertificateRequest foo.bar.baz at '/Users/jeff/.puppet/var/ssl/certificate_requests/foo.bar.baz.pem' err: Could not call generate: Could not find certificate request for foo.bar.baz $ echo $? 0 $ puppet cert --print foo.bar.baz (Works as expected, certificate was generated and signed) ## Expected Behavior ## The error shouldn't be displayed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
