Puppet: System Administration Automated

Support

Ticket #1190 (new defect)

Opened 7 months ago

Last modified 6 months ago

Puppetd exits if it receives a bad certificate

Reported by: init Assigned to: andrew
Priority: normal Milestone: 0.24.5
Component: executables Version: 0.24.4
Severity: normal Keywords: puppetd
Cc: Triage Stage: Accepted
Attached Patches: Insufficient Complexity: Easy

Description

When starting puppetd in daemon mode, a bad certificate received from the puppet master causes the client to exit. This is (according to me) undesirable behavior. Why not just retry once in a while like when there is no signed client certificate on the master for this host? As of now, if the client is reinstalled without first removing the old puppet client certificate, the system administrator must then manually login to the client to restart the puppet daemon (after removing the old certificate).

In my opinion, a daemon should not exit unless in encounters a truly fatal error, and this error is not one of them. An example of a truly fatal error would be a missing dependency.

Unfortunately, I do not know Ruby (yet), so I cannot fix it.

Change History

04/17/08 06:46:49 changed by jamtur01

  • owner changed from community to jamtur01.
  • status changed from new to assigned.
  • stage changed from Unreviewed to Needs more info.

Can you show the error, define what you mean by "bad certificate", and provide --trace output?

Thanks.

04/17/08 09:52:59 changed by init

A bad certificate is an old signed client certificate for a host. It is generated in the following way:

1. Install the host system including a puppet client

2. When the puppet client starts, it generates a key pair and sends a certificate signing request (CSR) to the puppet master

3. On the puppet master, sign the CSR with 'puppetca -s [host-fqdn]'

4. The client receives the signed certificate and puppet begins its processing

5. Reinstall the client system including the puppet client

6. The puppet client generates a key pair and sends a CSR to the puppet master

7. The puppet master rejects the CSR since it already has a signed certificate for this host

8. Upon receiving the rejection, the puppet client exits

This is in my opinion undesirable behavior. The puppet client should wait a few minutes and try again, not just quit.

There is also another related problem which I found after filing the above report. If you skip step 3, the new CSR sent by the client after the reinstall is ignored by the puppet master, and only the first (and now stale) CSR is kept. When you sign the CSR listed for your client hostname after step 6 above, the stale CSR is signed and the client exits due to its new CSR being suddenly rejected. Trying to preempt this problem by clearing the old CSR on the master fails since it only clears signed certificates, not CSRs.

I will put trace output in a later report, when I next bump into the problem.

04/24/08 07:26:17 changed by luke

  • component changed from client to executables.

05/12/08 23:46:07 changed by luke

  • stage changed from Needs more info to Accepted.
  • milestone set to 0.24.5.

05/16/08 09:39:15 changed by Fujin

  • status changed from assigned to new.

The fix for #1200 fixes this one too ;>

05/16/08 09:51:01 changed by jamtur01

  • keywords set to puppetd.
  • complexity changed from Unknown to Easy.
  • patch changed from None to Insufficient.

05/16/08 09:54:19 changed by jamtur01

  • owner changed from jamtur01 to fujin.

05/26/08 07:58:42 changed by andrew

  • owner changed from fujin to andrew.