Jira (PUP-10426) if certname entry is not in [main] section of puppet.conf file provide a warning

15 views
Skip to first unread message

Lucas Young (Jira)

unread,
Apr 17, 2020, 10:43:03 AM4/17/20
to puppe...@googlegroups.com
Lucas Young created an issue
 
Puppet / Improvement PUP-10426
if certname entry is not in [main] section of puppet.conf file provide a warning
Issue Type: Improvement Improvement
Affects Versions: PUP 5.5.z
Assignee: Unassigned
Created: 2020/04/17 7:42 AM
Priority: Normal Normal
Reporter: Lucas Young

*Puppet Version: 5.5.19
Puppet Server Version: 2018.1.13
OS Name/Version: RHEL7*

If the certname entry is only in the [agent] and not in the [main] section of the puppet.conf file, it will break various commands such puppet config print, and other dependent commands that require this to be fully functional.

*Desired Behavior: *

If this is detected via a Puppet run, it would be be beneficial to have a warning to inform the user that functionality is limited and/or call out the specific sub commands that this affects.

Steps to reproduce:

remove certname & entry from [main] section of puppet.conf file
Run puppet config print
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Michael Hudson (Jira)

unread,
Apr 17, 2020, 5:02:03 PM4/17/20
to puppe...@googlegroups.com
Michael Hudson commented on Improvement PUP-10426
 
Re: if certname entry is not in [main] section of puppet.conf file provide a warning

Adding a new comment to truly show what happens in the various scenarios.

Certname setting not used (certname, hostcert, and hostprivkey config settings use FQDN as expected)...
<noformat>
[root ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = <servername fqdn>

  1. This file can be used to override the default puppet settings.
  2. See the following links for more details on what settings are available:
  3. - https://puppet.com/docs/puppet/latest/config_important_settings.html
  4. - https://puppet.com/docs/puppet/latest/config_about_settings.html
  5. - https://puppet.com/docs/puppet/latest/config_file_main.html
  6. - https://puppet.com/docs/puppet/latest/configuration.html[agent]
    noop = true
    runinterval = 24h
    digest_algorithm = sha256
    splay = true
  1. puppet config print certname hostcert hostprivkey
    certname = abc123.example.net
    hostcert = /etc/puppetlabs/puppet/ssl/certs/abc123.example.net.pem
    hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/abc123.example.net.pem
    <noformat>

Certname setting in agent section (certname, hostcert, and hostprivkey config settings still using FQDN but requesting new cert honors the certname setting)...
<noformat>
[root ~]# vi /etc/puppetlabs/puppet/puppet.conf
[root ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = <servername fqdn>

  1. This file can be used to override the default puppet settings.
  2. See the following links for more details on what settings are available:
  3. - https://puppet.com/docs/puppet/latest/config_important_settings.html
  4. - https://puppet.com/docs/puppet/latest/config_about_settings.html
  5. - https://puppet.com/docs/puppet/latest/config_file_main.html
  6. - https://puppet.com/docs/puppet/latest/configuration.html[agent]
    certname = foo.bar
    noop = true
    runinterval = 24h
    digest_algorithm = sha256
    splay = true

[root ~]# puppet config print certname hostcert hostprivkey
certname = abc123.example.net
hostcert = /etc/puppetlabs/puppet/ssl/certs/abc123.example.net.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/abc123.example.net.pem

[root ~]# puppet agent -t
Info: Creating a new SSL key for foo.bar
Info: Caching certificate for ca
...
...
<noformat>

Certname settign in main section (certname, hostcert, and hostprivkey config settings as well as new cert request honor the certname setting)...
<noformat>
[root ~]# vi /etc/puppetlabs/puppet/puppet.conf
[root ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
certname = foo.bar
server = <servername fqdn>

  1. This file can be used to override the default puppet settings.
  2. See the following links for more details on what settings are available:
  3. - https://puppet.com/docs/puppet/latest/config_important_settings.html
  4. - https://puppet.com/docs/puppet/latest/config_about_settings.html
  5. - https://puppet.com/docs/puppet/latest/config_file_main.html
  6. - https://puppet.com/docs/puppet/latest/configuration.html[agent]
    noop = true
    runinterval = 24h
    digest_algorithm = sha256
    splay = true

[root ~]# puppet config print certname hostcert hostprivkey
certname = foo.bar
hostcert = /etc/puppetlabs/puppet/ssl/certs/foo.bar.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/foo.bar.pem

[root ~]# puppet agent -t
Info: Creating a new SSL key for foo.bar
Info: Caching certificate for ca
...
...
<noformat>

Lucas Young (Jira)

unread,
Apr 17, 2020, 5:07:03 PM4/17/20
to puppe...@googlegroups.com
Lucas Young updated an issue
 
Change By: Lucas Young
Comment: I wanted to add an example of the issue in case it helps. In the example below you can see that 'puppet config print certname' returns fine when the certname setting is either not used (uses FQDN by default I believe) and also when certname is set in the [main] section of puppet.conf. When it is set in the [agent] section of puppet conf you can see that the original FQDN is returned instead of the certname, despite that the certname setting in this section does work for requesting a cert with that name.

No certname setting used (certname, and hostcert and hostprivkey config settings use FQDN as expected)

{code:java}
[root@ ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = <server fqdn>
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html[agent]

noop = true
runinterval = 24h
digest_algorithm = sha256
splay = true

[root ~]# puppet config print certname hostcert hostprivkey
certname = foo.bar
hostcert = /etc/puppetlabs/puppet/ssl/certs/foo.bar.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/foo.bar.pem
{code}

Certname in the agent section (certname, hostcert, or hostprivkey config settings NOT set correctly). In this case I would expect an error or warning that the certname is used in the wrong section since it is not being honored for everything that should use it (you can see that when requesting a new cert be signed it is honored for that action)


{code:java}

[root ~]# vi /etc/puppetlabs/puppet/puppet.conf
[root ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = <servername fqdn>

certname = foo.bar
noop = true
runinterval = 24h
digest_algorithm = sha256
splay = true

[root ~]# puppet config print certname hostcert hostprivkey
certname = foo.bar
hostcert = /etc/puppetlabs/puppet/ssl/certs/foo.bar.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/foo.bar.pem

[root ~]# mv /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.bak

[root ~]# puppet agent -t
Info: Creating a new SSL key for foo.bar
Info: Caching certificate for ca
...
...
{code}


Certname in the main section (certname, hostcert, and hostprivkey config settings are set correctly) In this case everything works as expected, including the cert request and config settings.

{code:java}

[root ~]# vi /etc/puppetlabs/puppet/puppet.conf
[root ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
certname = foo.bar
server = <server fqdn>
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html[agent]

noop = true
runinterval = 24h
digest_algorithm = sha256
splay = true

[root ~]# puppet config print certname hostcert hostprivkey
certname = foo.bar
hostcert = /etc/puppetlabs/puppet/ssl/certs/foo.bar.pem
hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/foo.bar.pem

[root ~]# rm -rf /etc/puppetlabs/puppet/ssl

[root ~]# puppet agent -t
Info: Creating a new SSL key for foo.bar
Info: Caching certificate for ca
...
...
{code}

Rob Braden (Jira)

unread,
Apr 20, 2020, 1:58:04 PM4/20/20
to puppe...@googlegroups.com
Rob Braden updated an issue
Change By: Rob Braden
Sprint: Coremunity Grooming

Josh Cooper (Jira)

unread,
Apr 21, 2020, 12:39:03 PM4/21/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (Jira)

unread,
Aug 18, 2020, 1:35:04 AM8/18/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Grooming

Josh Cooper (Jira)

unread,
Oct 15, 2020, 1:53:03 PM10/15/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-10426
 
Re: if certname entry is not in [main] section of puppet.conf file provide a warning

This is a dup of PUP-9481. Bad things happen if the certname is specified in sections other than main.

Josh Cooper (Jira)

unread,
Oct 23, 2020, 8:03:03 PM10/23/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Affects Version/s: PUP 5.5.z
Reply all
Reply to author
Forward
0 new messages