Skip to content

[Bug]: puppet apply warns about missing client certificates #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
anthonyryan1 opened this issue Mar 4, 2025 · 0 comments · May be fixed by #22
Open
1 task done

[Bug]: puppet apply warns about missing client certificates #21

anthonyryan1 opened this issue Mar 4, 2025 · 0 comments · May be fixed by #22
Labels
bug Something isn't working

Comments

@anthonyryan1
Copy link
Contributor

anthonyryan1 commented Mar 4, 2025
edited
Loading

Is this a critical security issue?

  • This is not a security issue.

Describe the Bug

When running puppet in masterless mode, where you only run puppet apply on a manifest file, rather than a puppet master and puppet agent, the resulting server does not require certificates because there is no master to communicate with.

When running puppet apply however, there is an false positive warning about the client certificate not existing, when it's not relevant to that execution mode.

Expected Behavior

No warning for a client certificate not existing, when one is not expected to exist.

Steps to Reproduce

Make a minimal test.pp manifest file:

file {
  '/tmp/composer':
    mode   => '0755',
    source => 'https://getcomposer.org/download/2.8.6/composer.phar';
}

Execute:

puppet apply test.pp

Environment

Version: 8.13
Platform: Gentoo Linux

Additional Context

No response

Relevant log output

Notice: Compiled catalog for phenom in environment production in 0.01 seconds
Warning: Private key for 'fqdn' does not exist
Warning: Client certificate for 'fqdn' does not exist
Notice: /Stage[main]/Main/File[/tmp/composer]/ensure: defined content as '{mtime}2025-02-25 12:03:50 UTC'
Notice: Applied catalog in 0.25 seconds
@anthonyryan1 anthonyryan1 added the bug Something isn't working label Mar 4, 2025
binford2k added a commit to binford2k/puppet that referenced this issue Mar 4, 2025
@binford2k
Prevents spurious clientcert warnings in serverless mode
b49d084 
When there are no clientcerts, Puppet will warn when it creates an
`SSLContext` for HTTPS operations. This situation occurs when you run
entirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.

This behaviour was added in OpenVoxProject@3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.

To prevent this being a failure when running `puppet apply` in
serverless mode, it explicitly marks the clientcerts as optional in
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98
and
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103

This goes one step further and sets the output to `INFO` rather than `WARN`
when running `puppet apply`.

This does have one small edge case. If,

1. You intend to run a standard server/agent setup, and
2. Before ever running `puppet agent -t` you run `puppet apply` for
   provisioning purposes, and
3. Part of that Puppet run attempts to download a file from the
   puppetserver

Then you will get a certificate validation error and the HTTPS request
will fail silently with only an `INFO` message as a hint explaining why.

To fix it, you obviously just generate and sign the clientcerts.

I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.

Fixes OpenVoxProject#21
@binford2k binford2k linked a pull request Mar 4, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevents spurious clientcert warnings in serverless mode binford2k/puppet
1 participant
@anthonyryan1