From b49d0846dbcf5692c29e5ca7fd3c927c96485df7 Mon Sep 17 00:00:00 2001 From: Ben Ford Date: Mon, 3 Mar 2025 20:20:00 -0800 Subject: [PATCH 1/2] Prevents spurious clientcert warnings in serverless mode When there are no clientcerts, Puppet will warn when it creates an `SSLContext` for HTTPS operations. This situation occurs when you run entirely serverless and never generate clientcerts. It's spurious in that case, so we don't actually need to warn about it. This behaviour was added in https://github.com/OpenVoxProject/puppet/commit/3f7f830f0aef6fd3d1bf77a441d4000b9a586ed0 so that the new HTTP client could download files via HTTPS from the puppetserver (for example, the way that pe_repo) works. To prevent this being a failure when running `puppet apply` in serverless mode, it explicitly marks the clientcerts as optional in https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98 and https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103 This goes one step further and sets the output to `INFO` rather than `WARN` when running `puppet apply`. This does have one small edge case. If, 1. You intend to run a standard server/agent setup, and 2. Before ever running `puppet agent -t` you run `puppet apply` for provisioning purposes, and 3. Part of that Puppet run attempts to download a file from the puppetserver Then you will get a certificate validation error and the HTTPS request will fail silently with only an `INFO` message as a hint explaining why. To fix it, you obviously just generate and sign the clientcerts. I think this is an acceptable tradeoff, but would like other opinions. This will need specs before merging. Fixes #21 --- lib/puppet/ssl/ssl_provider.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb index 8b2d7a71b0..751603f81f 100644 --- a/lib/puppet/ssl/ssl_provider.rb +++ b/lib/puppet/ssl/ssl_provider.rb @@ -97,12 +97,14 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_clie cert_provider = Puppet::X509::CertProvider.new private_key = cert_provider.load_private_key(Puppet[:certname], required: false) unless private_key - Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist") + msg = "Private key for '#{Puppet[:certname]}' does not exist" + Puppet.run_mode.name == :user ? Puppet.info(msg) : Puppet.warning(msg) end client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false) unless client_cert - Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist") + msg "Client certificate for '#{Puppet[:certname]}' does not exist" + Puppet.run_mode.name == :user ? Puppet.info(msg) : Puppet.warning(msg) end if private_key && client_cert From 05d4d34d41844d4005605ed16d62eddbe768d39c Mon Sep 17 00:00:00 2001 From: Ben Ford Date: Tue, 4 Mar 2025 09:54:50 -0800 Subject: [PATCH 2/2] fix typo --- lib/puppet/ssl/ssl_provider.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb index 751603f81f..0ec6b0d932 100644 --- a/lib/puppet/ssl/ssl_provider.rb +++ b/lib/puppet/ssl/ssl_provider.rb @@ -103,7 +103,7 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_clie client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false) unless client_cert - msg "Client certificate for '#{Puppet[:certname]}' does not exist" + msg = "Client certificate for '#{Puppet[:certname]}' does not exist" Puppet.run_mode.name == :user ? Puppet.info(msg) : Puppet.warning(msg) end