Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
Hi, Micah Anderson mi...@riseup.net writes: attached is a patch that I use to prevent puppet from overwriting the CA certificate if it is already present on the local host. When you reported this bug, it was for 0.24, does this still happen with newer versions of puppet? --- puppet.orig/lib/puppet/network/client/ca.rb +++ puppet/lib/puppet/network/client/ca.rb @@ -48,7 +48,9 @@ # Only write the cert out if it passes validating. Puppet.settings.write(:hostcert) do |f| f.print cert end -Puppet.settings.write(:localcacert) do |f| f.print cacert end +unless FileTest.exist?(Puppet[:localcacert]) + Puppet.settings.write(:localcacert) do |f| f.print cacert end +end @cert end In newer versions of puppet, most of the above code doesn't exist anywhere I could find, so I guess that this has either been resolved in newer versions, or you have been forward porting this patch to new versions? If you do have a newer version, could you send it to the bug report? I dropped the patch after 2.6.2-5+squeeze3. So this issue should be resolved. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
Hello, attached is a patch that I use to prevent puppet from overwriting the CA certificate if it is already present on the local host. When you reported this bug, it was for 0.24, does this still happen with newer versions of puppet? --- puppet.orig/lib/puppet/network/client/ca.rb +++ puppet/lib/puppet/network/client/ca.rb @@ -48,7 +48,9 @@ # Only write the cert out if it passes validating. Puppet.settings.write(:hostcert) do |f| f.print cert end -Puppet.settings.write(:localcacert) do |f| f.print cacert end +unless FileTest.exist?(Puppet[:localcacert]) + Puppet.settings.write(:localcacert) do |f| f.print cacert end +end @cert end In newer versions of puppet, most of the above code doesn't exist anywhere I could find, so I guess that this has either been resolved in newer versions, or you have been forward porting this patch to new versions? If you do have a newer version, could you send it to the bug report? micah -- signature.asc Description: Digital signature
Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
Hi, attached is a patch that I use to prevent puppet from overwriting the CA certificate if it is already present on the local host. Regards, Ansgar Subject: Do not overwrite CA certificate From: Ansgar Burchardt ans...@mathi.uni-heidelberg.de Bug-Debian: http://bugs.debian.org/525850 --- puppet.orig/lib/puppet/network/client/ca.rb +++ puppet/lib/puppet/network/client/ca.rb @@ -48,7 +48,9 @@ # Only write the cert out if it passes validating. Puppet.settings.write(:hostcert) do |f| f.print cert end -Puppet.settings.write(:localcacert) do |f| f.print cacert end +unless FileTest.exist?(Puppet[:localcacert]) + Puppet.settings.write(:localcacert) do |f| f.print cacert end +end @cert end
Bug#525850: [Pkg-puppet-devel] Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
Hi, Micah Anderson mi...@riseup.net writes: * Ansgar Burchardt ans...@mathi.uni-heidelberg.de [2009-04-27 10:24-0400]: When puppet initially requests a certificate from puppetmaster, it will overwrite the CA certificate even if it is already present. Do you mean to say that if you have a signed certificate on the puppetmaster for host 'foo.bar.org' and then you reinstall the system 'foo' and run puppet again you do not want the existing certificate re-generated? I'm a little confused by your use of the terms CA certificate. To me, CA means Certificate Authority and I'm not sure how you are using that in this context. I mean the public key of the certificate authority used to sign the Puppetmaster's public key (the file localcacert refers to on the client). There is no reason to overwrite this key when Puppet gets a new host key. We have the following setup using two CAs: * example.com certification authority - signs: puppet.example.com - installed on clients as $localcacert before Puppet is started the first time. - should be trusted by clients * puppet.example.com certification authority - signs client certificates via puppetca - should *not* be trusted by clients - used by the server to identify client name When puppet starts the first time on a client, it asks puppet.example.com to sign the client.example.com certificate. It will install the signed certificate, *but* it will also install the puppet.example.com CA certificate, overwriting the example.com CA certificate already present. The client will then not trust the puppet.example.com certificate... I may miss some option to tell puppetca/puppetmaster which CA cert to send to the clients, but there should be no need to overwrite the CA certificate already installed on the clients in any case. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#525850: [Pkg-puppet-devel] Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
* Ansgar Burchardt ans...@mathi.uni-heidelberg.de [2009-04-27 10:24-0400]: Package: puppet Version: 0.24.5-3 Severity: minor Hi, When puppet initially requests a certificate from puppetmaster, it will overwrite the CA certificate even if it is already present. Do you mean to say that if you have a signed certificate on the puppetmaster for host 'foo.bar.org' and then you reinstall the system 'foo' and run puppet again you do not want the existing certificate re-generated? I'm a little confused by your use of the terms CA certificate. To me, CA means Certificate Authority and I'm not sure how you are using that in this context. micah signature.asc Description: Digital signature
Bug#525850: puppet: Requesting new certificate will overwrite CA certificate
Package: puppet Version: 0.24.5-3 Severity: minor Hi, When puppet initially requests a certificate from puppetmaster, it will overwrite the CA certificate even if it is already present. I traced the problem to # Only write the cert out if it passes validating. Puppet.settings.write(:hostcert) do |f| f.print cert end Puppet.settings.write(:localcacert) do |f| f.print cacert end in /usr/lib/ruby/1.8/puppet/network/client/ca.rb. I think the local CA cert should only be written if the file is not already present. Regards, Ansgar -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (900, 'stable'), (600, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages puppet depends on: ii adduser 3.110 add and remove users and groups ii facter1.5.1-0.1 a library for retrieving facts fro ii libopenssl-ruby 4.2OpenSSL interface for Ruby ii libruby [libxmlrpc-ruby] 4.2Libraries necessary to run Ruby 1. ii libshadow-ruby1.8 1.4.1-8Interface of shadow password for R ii libxmlrpc-ruby4.2transitional dummy package ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii ruby 4.2An interpreter of object-oriented Versions of packages puppet recommends: pn rdoc none (no description available) puppet suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org