Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PUP-10589) Add a generate_request option to puppet ssl #9107

Merged
merged 3 commits into from
Sep 15, 2023
Merged

(PUP-10589) Add a generate_request option to puppet ssl #9107

merged 3 commits into from
Sep 15, 2023

Conversation

joshcooper
Copy link
Contributor

Adds a command puppet ssl generate_request to generate a CSR but not submit it. This is useful when boostrapping an offline agent.

@joshcooper joshcooper requested a review from a team as a code owner September 12, 2023 20:12
@joshcooper joshcooper mentioned this pull request Sep 12, 2023
Closed
@cthorn42
Copy link
Collaborator

@joshcooper is it expected that generate_request will overwrite a CSR if one is in place?

@joshcooper
Copy link
Contributor Author

joshcooper commented Sep 14, 2023
edited
Loading

Is it expected that generate_request will overwrite a CSR if one is in place?

Yes good question. Short version is it's ok.

Long version is the agent only writes out the CSR as a temporary file

puppet/lib/puppet/ssl/state_machine.rb

Line 320 in 90720bd

@cert_provider.save_request(Puppet[:certname], csr)

Once a cert is issued and downloaded, the temporary CSR is deleted

puppet/lib/puppet/ssl/state_machine.rb

Line 347 in 90720bd

@cert_provider.delete_request(Puppet[:certname])

The cert request may take "awhile" to be approved, so each time the agent tries to get a cert, it generates a new CSR, sends to the CA, and writes the CSR to disk, overwriting the previous version.

Older versions of puppet (back when we used the indirector to bootstrap the agent) used to load the CSR from disk. If the keys were regenerated sometime after the CSR was written to, then they wouldn't be consistent and the agent had to be manually cleaned. We avoid those issues by only writing out the CSR, but never reading it back it.

@cthorn42 cthorn42 merged commit f334eb9 into puppetlabs:7.x Sep 15, 2023
13 checks passed
@joshcooper joshcooper deleted the nickg_generate_request branch September 15, 2023 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cthorn42 cthorn42 cthorn42 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joshcooper @cthorn42 @nickgw