Closed anders-larsson closed 3 months ago
Example when executed on the CA server itself:
curl --tlsv1 \
--cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--cert /etc/puppetlabs/puppet/ssl/certs/puppet.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/puppet.pem \
-k https://localhost:8140/puppet-ca/v1/certificate_status/client.domain.tld
Internal Server Error: java.io.FileNotFoundException: /etc/puppetlabs/puppetserver/ca/requests/client.domain.tld.pem (No such file or directory)
The system in question has had a certificate previously but no longer does. Neither a certificate or a certificate request file exists for the system on the CA. For other non-existing nodes it correctly returns Resource not found.
if the resource does not exist.
One workaround seems to be having the node connect to the CA and hence generating a new CSR file. However, revoking PUT /puppet-ca/v1/certificate_status/client.domain.tld
and cleaning it DELETE /puppet-ca/v1/certificate_status/client.domain.tld
causes the problem to show itself again. Same thing happens regardless if a certificate or a CSR is going through this process.
As mentioned earlier this only happens sometimes and after it has started to happen it is persistent for that particular subject DN.
The CA is also much slower to process CSRs -> Cert (as also mentioned in linked issue).
Thanks for your report. The issue is a simple logic problem that I will resolve shortly.
@jonathannewman @justinstoller Hi, when will there be a release which includes this fix? Thanks.
Describe the Bug
Puppetserver CA API gets into a race-condition sometimes when the Certificate Status endpoint is used to first revoke and afterwards clean the certificate. When this occurs puppetserver will start throwing
ERROR [p.r.core] Internal Server Error: java.io.FileNotFoundException: /path/to/cert.pem (No such file or directory)
when attempts to revoke/clean said certificate occurs.We have not seen this bug in 7.13.0 and earlier versions. First time it occurred was after updating to 8.4.0.
Expected Behavior
Certificate is successfully revoked and cleaned and can be re-used.
Steps to Reproduce
Steps to reproduce the behavior:
ERROR [p.r.core] Internal Server Error: java.io.FileNotFoundException: /path/to/cert.pem (No such file or directory)
As stated earlier. This does not always happen.
Environment
Additional Context
It seems to help to have the node reach out to the CA and have a new certificate request recreated and then use API to sign it. Afterwards it works again as expected.
https://github.com/puppetlabs/puppetserver-ca-cli/issues/120 migh be related.
Example logs: