Jira (PUP-10424) if certname entry is not in [main] section of puppet.conf file provide a warning

[Lucas Young (Jira)]

Lucas Young updated an issue

Puppet / PUP-10424 if certname entry is not in [main] section of puppet.conf file provide a warning Change By: Lucas Young *Puppet Version: 5.5.19* *Puppet Server Version: 2018.1.13* *OS Name/Version: RHEL7* If the *certname* entry is only in the [agent] and not in the [main] section of the *puppet.conf* file, it will break various commands such *puppet config print*, and other dependent commands that require this to be fully functional. *Desired Behavior:*  If this is detected via a Puppet run, it would be be beneficial to have a warning to inform the user that functionality is limited and/or call out the specific sub commands that this affects. *Actual Behavior:* ** Steps to reproduce: # remove certname & entry from [main] section of puppet.conf file # Run *puppet config print*     Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Lucas Young (Jira)]

Lucas Young created an issue

Puppet / PUP-10424 if certname entry is not in [main] section of puppet.conf file provide a warning

Issue Type: Bug Affects Versions: PUP 5.5.z Assignee: Unassigned Created: 2020/04/15 9:39 AM Priority: Normal Reporter: Lucas Young Puppet Version: 5.5.19 Puppet Server Version: 2018.1.13 OS Name/Version: RHEL7 If the certname entry is only in the [agent] and not in the [main] section of the puppet.conf file, it will break various commands such puppet config print, and other dependent commands that require this to be fully functional. Desired Behavior:

If this is detected via a Puppet run, it would be be beneficial to have a warning to inform the user that functionality is limited and/or call out the specific sub commands that this affects.

Actual Behavior: **Steps to reproduce:

remove certname & entry from [main] section of puppet.conf file

Run puppet config print

Add Comment

[Lucas Young (Jira)]

Lucas Young updated an issue

Puppet / PUP-10424

if certname entry is not in [main] section of puppet.conf file provide a warning

Change By: Lucas Young Issue Type: Bug Improvement

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10424 if certname entry is not in [main] section of puppet.conf file provide a warning

Change By: Josh Cooper Team: Coremunity

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10424

Re: if certname entry is not in [main] section of puppet.conf file provide a warning Hi Lucas Young, following up on your comment:

If this is detected via a Puppet run

Do you mean during a puppet agent run? Or any puppet command? Would warning in puppet config set certname <value> be sufficient? Or is the certname getting set through another tool?

Add Comment

[Michael Hudson (Jira)]

Michael Hudson commented on PUP-10424

Re: if certname entry is not in [main] section of puppet.conf file provide a warning

I wanted to add an example of the issue in case it helps. In the example below you can see that 'puppet config print certname' returns fine when the certname setting is either not used (uses FQDN by default I believe) and also when certname is set in the [main] section of puppet.conf. When it is set in the [agent] section of puppet conf you can see that the original FQDN is returned instead of the certname, despite that the certname setting in this section does work for requesting a cert with that name.   No certname setting used (certname, and hostcert and hostprivkey config settings use FQDN as expected)   [root@mh-r7cer1735 ~]# cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetstack0.devint.sv.cloud.wellsfargo.net # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html[agent] noop = true runinterval = 24h digest_algorithm = sha256 splay = true   [root@mh-r7cer1735 ~]# puppet config print certname hostcert hostprivkey certname = mh-r7cer1735.devint.cloud.wellsfargo.net hostcert = /etc/puppetlabs/puppet/ssl/certs/mh-r7cer1735.devint.cloud.wellsfargo.net.pem hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/mh-r7cer1735.devint.cloud.wellsfargo.net.pem   certname in the agent section (certname, hostcert, or hostprivkey config settings NOT set correctly). In this case I would expect an error or warning that the certname is used in the wrong section since it is not being honored for everything that should use it (you can see that when requesting a new cert be signed it is honored for that action) [root@mh-r7cer1735 ~]# vi /etc/puppetlabs/puppet/puppet.conf [root@mh-r7cer1735 ~]# cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetstack0.devint.sv.cloud.wellsfargo.net # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html[agent] certname = foo.bar noop = true runinterval = 24h digest_algorithm = sha256 splay = true   [root@mh-r7cer1735 ~]# puppet config print certname hostcert hostprivkey certname = mh-r7cer1735.devint.cloud.wellsfargo.net hostcert = /etc/puppetlabs/puppet/ssl/certs/mh-r7cer1735.devint.cloud.wellsfargo.net.pem hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/mh-r7cer1735.devint.cloud.wellsfargo.net.pem   [root@mh-r7cer1735 ~]# mv /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.bak [root@mh-r7cer1735 ~]# puppet agent -t Info: Creating a new SSL key for foo.bar Info: Caching certificate for ca ... ...   certname in the main section (certname, hostcert, and hostprivkey config settings are set correctly) In this case everything works as expected, including the cert request and config settings.   [root@mh-r7cer1735 ~]# vi /etc/puppetlabs/puppet/puppet.conf [root@mh-r7cer1735 ~]# cat /etc/puppetlabs/puppet/puppet.conf [main] certname = foo.bar server = puppetstack0.devint.sv.cloud.wellsfargo.net # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html[agent] noop = true runinterval = 24h digest_algorithm = sha256 splay = true   [root@mh-r7cer1735 ~]# puppet config print certname hostcert hostprivkey certname = foo.bar hostcert = /etc/puppetlabs/puppet/ssl/certs/foo.bar.pem hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/foo.bar.pem   [root@mh-r7cer1735 ~]# rm -rf /etc/puppetlabs/puppet/ssl [root@mh-r7cer1735 ~]# puppet agent -t Info: Creating a new SSL key for foo.bar Info: Caching certificate for ca ... ...

Add Comment

[Michael Hudson (Jira)]

Michael Hudson commented on PUP-10424

Re: if certname entry is not in [main] section of puppet.conf file provide a warning

Also, to clarify we would normally set the certname setting using 'puppet config set certname <VALUE>' but in reality there are lots of cases where someone will edit puppet.conf manually as I did in the examples above. In my opinion, when any puppet command is run that reads the config file a warning should be presented if settings are used in a section where they should not be.

Add Comment

[Michael Hudson (Jira)]

Michael Hudson commented on PUP-10424

Re: if certname entry is not in [main] section of puppet.conf file provide a warning

Ugh, looks like my previous comment with the examples was removed???

Add Comment