Jira (PUP-7667) puppet agent doesn't create certificate with FQDN if /etc/hostname contains FQDN, but search domain is not set

21 views
Skip to first unread message

Florian Klink (JIRA)

unread,
Jun 15, 2017, 6:09:03 AM6/15/17
to puppe...@googlegroups.com
Florian Klink created an issue
 
Puppet / Bug PUP-7667
puppet agent doesn't create certificate with FQDN if /etc/hostname contains FQDN, but search domain is not set
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2017/06/15 3:08 AM
Environment:

Debian 9 (stretch) amd64
puppet-4.8.2-5, facter 2.4.6-1 from Debian Package Repository
Priority: Normal Normal
Reporter: Florian Klink

When adding a new node which has a FQDN set in /etc/hostname, the generated CSR on puppet agent doesn't include the FQDN, as long as no DNS search domain is set. This makes things weird, as a second CSR will be generated when network is set up properly and the DNS domain suddenly appears:

This might be due to facter not showing the FQDN correctly, but I'm unsure whether puppet agents derives the csr name from facter or not.

{{root@puppettest:~# cat /etc/hostname
puppettest.mydomain.com

root@puppettest:~# facter hostname
puppettest
root@puppettest:~# facter fqdn
puppettest

root@puppettest:~# puppet agent --server puppet.mydomain.com --waitforcert 10 -t --verbose
Info: Creating a new SSL key for puppettest
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppettest
Info: Certificate Request fingerprint (SHA256): F5:09:15:AD:A1:2A:F2:85:9E:A1:65:C9:23:9F:A4:16:50:36:89:8A:06:6F:FC:45:4F:6D:00:E9:1D:BA:25:C0
Info: Caching certificate for ca
Notice: Did not receive certificate}}

As soon as I add "domain mydomain.com" to /etc/resolv.conf, facter fqdn shows "puppettest.mydomain.com", and the puppet agent generates a new certificate on the next run.

I think it should be more consistent to take the FQDN from $(hostname), if one is set there, instead of only $(hostname -s), and adding one from /etc/resolv.conf if set. This applies both to facter fqdn and the agents method of deriving the certificate name.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Josh Cooper (JIRA)

unread,
Jun 23, 2017, 6:54:03 PM6/23/17
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
When adding a new node which has a FQDN set in /etc/hostname, the generated CSR on puppet agent doesn't include the FQDN, as long as no DNS search domain is set. This makes things weird, as a second CSR will be generated when network is set up properly and the DNS domain suddenly appears:

This might be due to facter not showing the FQDN correctly, but I'm unsure whether puppet agents derives the csr name from facter or not.

{ { noformat}
root@puppettest:~# cat /etc/hostname 
puppettest.mydomain.com

root@puppettest:~# facter hostname
puppettest
root@puppettest:~# facter fqdn    
puppettest

root@puppettest:~# puppet agent --server puppet.mydomain.com --waitforcert 10 -t --verbose
Info: Creating a new SSL key for puppettest
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppettest
Info: Certificate Request fingerprint (SHA256): F5:09:15:AD:A1:2A:F2:85:9E:A1:65:C9:23:9F:A4:16:50:36:89:8A:06:6F:FC:45:4F:6D:00:E9:1D:BA:25:C0
Info: Caching certificate for ca
Notice: Did not receive certificate

{noformat } }

As soon as I add "{{domain mydomain.com}}" to {{/etc/resolv.conf}}, {{facter fqdn}} shows {{"puppettest.mydomain.com"}}, and the puppet agent generates a new certificate on the next run.

I think it should be more consistent to take the FQDN from {{$(hostname)}}, if one is set there, instead of only {{$(hostname -s)}}, and adding one from {{/etc/resolv.conf}} if set. This applies both to {{facter fqdn}} and the agents method of deriving the certificate name.

Josh Cooper (JIRA)

unread,
Jun 23, 2017, 7:04:02 PM6/23/17
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-7667
 
Re: puppet agent doesn't create certificate with FQDN if /etc/hostname contains FQDN, but search domain is not set

Puppet's certname is by default taken from a combination of facter hostname and facter domain, see https://github.com/puppetlabs/puppet/blob/master/lib/puppet/settings.rb#L63-L72.

The agent's CSR/private key/cert are saved on disk using its fqdn, e.g. /etc/puppetlabs/puppet/ssl/certs/<fqdn>.pem. So if the fqdn changes, then the agent will think it doesn't have a cert, and will generate a new CSR using the new fqdn.

It's unlikely we will change this behavior (puppet has always worked this way), so I'm inclined to mark this as won't fix.

Also note you can set the certname setting, and that will always take precedence over the fqdn, in situations where you need a stable certname despite the fqdn changing.

Florian Klink (JIRA)

unread,
Jun 30, 2017, 8:32:02 AM6/30/17
to puppe...@googlegroups.com
Florian Klink commented on Bug PUP-7667

I still think it's wrong ignoring a FQDN set in /etc/hostname. By looking at facters code for 'fqdn', it will only muble-jumble with /etc/resolv.conf, it the hostname is not already full-qualified: https://github.com/puppetlabs/facter/blob/d53ef63aab6d73f11e9f647aca59dee36ad479af/lib/src/facts/posix/networking_resolver.cc#L60

So IMHO, default_certname should simply also use facter's fqdn value.
For hosts without a fqdn set in /etc/hostname, this shouldn't change things at all (as it will still combine /etc/resolv.conf as before, but this will then be done in facter).

Of course, this would still be something for a major release, as it will change behaviour for hosts with a FQDN set in /etc/hostname if different from a domain set in /etc/resolv.conf, but it will still make things much more consistent.

Geoff Nichols (JIRA)

unread,
Jul 6, 2017, 1:20:04 PM7/6/17
to puppe...@googlegroups.com
Geoff Nichols updated an issue
 
Change By: Geoff Nichols
Team: InfraCore

Geoff Nichols (JIRA)

unread,
Jul 6, 2017, 1:21:03 PM7/6/17
to puppe...@googlegroups.com
Geoff Nichols assigned an issue to Daniel Dreier
Change By: Geoff Nichols
Assignee: Daniel Dreier

Mikker Gimenez (JIRA)

unread,
Dec 12, 2017, 5:10:03 PM12/12/17
to puppe...@googlegroups.com
Mikker Gimenez updated an issue
Change By: Mikker Gimenez
Team: InfraCore
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Josh Cooper (JIRA)

unread,
Oct 1, 2019, 4:57:03 PM10/1/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Unassigned
Change By: Josh Cooper
Assignee: Daniel Dreier
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Oct 1, 2019, 4:57:03 PM10/1/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.0.0

Josh Cooper (JIRA)

unread,
Oct 1, 2019, 4:58:02 PM10/1/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (JIRA)

unread,
Oct 1, 2019, 4:58:03 PM10/1/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Oct 1, 2019, 5:00:03 PM10/1/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Acceptance Criteria: Puppet should default its certname to the {{facter fqdn}} fact and fallback to {{$(facter hostname).$(facter domain)}}.

Josh Cooper (Jira)

unread,
Aug 17, 2020, 8:25:04 PM8/17/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity Night's Watch
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Mihai Buzgau (Jira)

unread,
Aug 19, 2020, 2:29:04 AM8/19/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2020-09-01

Mihai Buzgau (Jira)

unread,
Aug 19, 2020, 5:27:03 AM8/19/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Story Points: 3

Ciprian Badescu (Jira)

unread,
Aug 19, 2020, 8:57:03 AM8/19/20
to puppe...@googlegroups.com
Ciprian Badescu commented on Bug PUP-7667
 
Re: puppet agent doesn't create certificate with FQDN if /etc/hostname contains FQDN, but search domain is not set

I was not able to reproduce the issue on a Ubuntu 20.04/Puppet 6.17

Looking in source code, facter is using `gethostname` syscall to read full hostname and is using domain part form there, if available. This implies that `hostname -f` and `echo $(facter hostname).$(facter domain)` should have the same output as long as `hostname -f` contains domain part.

File /etc/hostname is normally used by Linux during startup to set the system hostname, but I expect `facter` to be in sync with system hostname (as shown by hostname -f) as the file may be out of sync. Was in this case /etc/hostname file in sync with `hostname -f` command?

Florian Klink, are you also able to reproduce the issue on newer versions of puppet?

 

Ciprian Badescu (Jira)

unread,
Aug 19, 2020, 9:00:05 AM8/19/20
to puppe...@googlegroups.com
Ciprian Badescu assigned an issue to Ciprian Badescu
 
Change By: Ciprian Badescu
Assignee: Ciprian Badescu

Florian Klink (Jira)

unread,
Aug 20, 2020, 3:30:03 AM8/20/20
to puppe...@googlegroups.com
Florian Klink commented on Bug PUP-7667
 
Re: puppet agent doesn't create certificate with FQDN if /etc/hostname contains FQDN, but search domain is not set

I don't use puppet anymore, so can't check again, sorry.

If you can't reproduce it anymore, feel free to close this issue.
Reply all
Reply to author
Forward
0 new messages