Jira (PUP-10159) Can't differentiate between cert and request on Puppet Server

0 views
Skip to first unread message

Mihai Buzgau (JIRA)

unread,
Dec 4, 2019, 6:36:04 AM12/4/19
to puppe...@googlegroups.com
Mihai Buzgau moved an issue
 
Puppet / Bug PUP-10159
Can't differentiate between cert and request on Puppet Server
Change By: Mihai Buzgau
Key: PA PUP - 3017 10159
Project: Puppet Agent
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Mihai Buzgau (JIRA)

unread,
Dec 4, 2019, 6:38:06 AM12/4/19
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug PUP-10159
 
Re: Can't differentiate between cert and request on Puppet Server

Not sure if this is a PUP, Server or PE Console ticket.
/cc Josh Cooper Maggie Dreyer

We will try to do some digging into it.

Josh Cooper (JIRA)

unread,
Dec 4, 2019, 11:21:04 AM12/4/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10159

The puppet cert command is deprecated in 5.5.x and removed in 6. In 5.5.x there should be a leading +.

$ bx puppet cert list --all
 
Warning: `puppet cert` is deprecated and will be removed in a future release.
 
   (location: /Users/josh/work/puppet/lib/puppet/application.rb:370:in `run')
 
+ "foobar" (SHA256) B7:42:13:1D:2E:D9:16:07:88:CD:42:40:19:34:20:15:F2:3D:D0:E0:09:28:1B:5D:86:B3:38:27:F2:D4:A1:83

The replacement in Puppet 6 is puppetserver ca list. Most likely this can be closed.

Josh Cooper (JIRA)

unread,
Dec 4, 2019, 11:21:05 AM12/4/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Team: Server

Jonny (JT) Tripathy (JIRA)

unread,
Dec 11, 2019, 10:26:04 AM12/11/19
to puppe...@googlegroups.com
Jonny (JT) Tripathy commented on Bug PUP-10159
 
Re: Can't differentiate between cert and request on Puppet Server

Hey Josh,

Thanks for the information. We are not seeing the '+' sign for a cert request. Please see the attached 2 new screenshots for a test "test.jt" cert request.

Thanks

JT

Jonny (JT) Tripathy (JIRA)

unread,
Dec 11, 2019, 10:26:04 AM12/11/19
to puppe...@googlegroups.com
Jonny (JT) Tripathy updated an issue
 
Change By: Jonny (JT) Tripathy
Attachment: Screen Shot 2019-12-11 at 15.23.56.png
Attachment: Screen Shot 2019-12-11 at 15.24.59.png

Jonny (JT) Tripathy (JIRA)

unread,
Dec 11, 2019, 10:27:04 AM12/11/19
to puppe...@googlegroups.com
Jonny (JT) Tripathy assigned an issue to Josh Cooper
Change By: Jonny (JT) Tripathy
Assignee: Josh Cooper

Maggie Dreyer (JIRA)

unread,
Dec 11, 2019, 12:05:05 PM12/11/19
to puppe...@googlegroups.com
Maggie Dreyer commented on Bug PUP-10159
 
Re: Can't differentiate between cert and request on Puppet Server

In puppetserver ca, there are section markers diving CSRs from signed certs from revoked certs. I'm now realizing that this interacts badly with grep. Run the command without the grep to see what I mean.

Justin Stoller (JIRA)

unread,
Dec 12, 2019, 7:13:04 PM12/12/19
to puppe...@googlegroups.com

I think this is captured in SERVER-2252 but is a good point to prioritizing that work.

Maggie Dreyer (JIRA)

unread,
Dec 16, 2019, 6:17:04 PM12/16/19
to puppe...@googlegroups.com

Interestingly, I'm seeing - for both signed and revoked certs (though this could be due to issues with my dev environment), and nothing for CSRs. https://github.com/puppetlabs/puppet/blob/5.5.x/lib/puppet/ssl/certificate_authority/interface.rb#L11 would seem to me to indicate that we expect no leading symbol for CSRs, but a + for signed certs.

Maggie Dreyer (JIRA)

unread,
Dec 19, 2019, 5:26:05 PM12/19/19
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
 
Change By: Maggie Dreyer
Team: Froyo

Maggie Dreyer (JIRA)

unread,
Dec 19, 2019, 5:26:05 PM12/19/19
to puppe...@googlegroups.com

Maggie Dreyer (JIRA)

unread,
Dec 19, 2019, 7:14:05 PM12/19/19
to puppe...@googlegroups.com
Maggie Dreyer assigned an issue to Unassigned
Change By: Maggie Dreyer
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Jan 27, 2021, 3:06:04 PM1/27/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10159
 
Re: Can't differentiate between cert and request on Puppet Server

Ah I was mistaken earlier. It looks like puppet cert list returns + for signed certs (untidy-keeping.delivery.puppetlabs.net), - for revoked certs (neptune) and no leading symbol for CSR (testing) as Maggie Dreyer said:

# puppet --version
 
5.5.22
 
# puppet cert list --all
 
Warning: `puppet cert` is deprecated and will be removed in a future release.
 
   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
 
  "testing"                                (SHA256) 07:7A:FB:52:13:24:C3:03:08:25:97:7F:58:34:69:8F:B1:5C:14:3F:D0:55:44:E5:64:81:CE:BA:6E:09:60:37
 
+ "untidy-keeping.delivery.puppetlabs.net" (SHA256) 69:32:38:B1:1C:21:E9:ED:4B:E3:C5:96:3D:96:DA:01:FC:EF:BA:EE:A9:98:AF:8D:98:9F:49:A5:13:C6:87:37 (alt names: "DNS:puppet", "DNS:untidy-keeping.delivery.puppetlabs.net") **
 
- "neptune"                                (SHA256) 27:66:2A:7C:F9:DC:59:3A:4D:6B:6A:67:72:9E:35:E7:A3:98:85:8F:91:B6:A7:99:98:21:DC:9A:6E:E2:BA:22 (certificate revoked)

Adding that information to the puppetserver ca command is filed as SERVER-2252. And the puppet cert command was removed in puppet 7, so I think the remaining issue is the PE console doesn't make the same distinction in the PE UI? So I'll move this ticket to the PE project.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages