x509.certificate_managed can write an error message into the cert file instead of failing

[farcaller]

Description of Issue/Question

x509.certificate_managed will corrupt the pem file and then will die with exception.

Setup

Set up x509.certificate_managed for a signing policy that doesn't exist

Steps to Reproduce Issue

Run the state. The generated cert file will contain a single line, e.g.: Signing policy saltca does not exist. instead on pem data.

Additionally, the state will now fail forever with:

Jun 20 20:11:52 sb1 salt-minion[24565]: [ERROR   ] An exception occurred in this state: Traceback (most recent call last):
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/state.py", line 1746, in call
Jun 20 20:11:52 sb1 salt-minion[24565]:     **cdata['kwargs'])
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1704, in wrapper
Jun 20 20:11:52 sb1 salt-minion[24565]:     return f(*args, **kwargs)
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/states/x509.py", line 568, in certificate_managed
Jun 20 20:11:52 sb1 salt-minion[24565]:     'New': __salt__['x509.read_certificate'](certificate=certificate)}
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 536, in read_certificate
Jun 20 20:11:52 sb1 salt-minion[24565]:     cert = _get_certificate_obj(certificate)
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 349, in _get_certificate_obj
Jun 20 20:11:52 sb1 salt-minion[24565]:     text = get_pem_entry(text, pem_type='CERTIFICATE')
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 472, in get_pem_entry
Jun 20 20:11:52 sb1 salt-minion[24565]:     raise salt.exceptions.SaltInvocationError(errmsg)
Jun 20 20:11:52 sb1 salt-minion[24565]: SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:

Additionally, master will fail to detect the error and will keep recursing until runs out of stack in

      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 2099, in call_chunk
        running = self.call_chunk(low, running, chunks)

Versions Report

$ salt --versions-report
Salt Version:
           Salt: 2016.11.5-120-ge7fc30f

Dependency Versions:
           cffi: 1.10.0
       cherrypy: Not Installed
       dateutil: 2.6.0
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: 0.25.1
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.25.0
         Python: 2.7.13 (default, Apr 20 2017, 12:13:37)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.1
            ZMQ: 4.2.2

System Versions:
           dist:
        machine: x86_64
        release: 4.10.0-22-generic
         system: Linux
        version: Not Installed

$ salt-minion --versions-report
Salt Version:
           Salt: 2016.11.5

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: 1.8.0
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.24.0
           Mako: 1.0.4
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.12+ (default, Sep 17 2016, 12:08:02)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.2
            ZMQ: 4.2.0

System Versions:
           dist: Ubuntu 16.10 yakkety
        machine: x86_64
        release: 4.8.0-45-generic
         system: Linux
        version: Ubuntu 16.10 yakkety

[Ch3LL]

@farcaller can you please share a sanitized version of sls file when running into this issue?

[nvx]

I've run into the same issue. Seems to occur when someone makes a mistake in the pillar top.sls that makes pillar rendering error out - when this happens instead of aborting it nukes the already existing file with "Signing policy mypolicy does not exist."

mycert:
  x509.certificate_managed:
    - name: /etc/mycert.pem
    - ca_server: server.example.com
    - signing_policy: mypolicy
    - public_key: /etc/mycert.key
    - managed_private_key:
        name: /etc/mycert.key
        bits: 2048
        backup: True

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[farcaller]

none of the fixes seem to me merged in yet.

[stale[bot]]

Thank you for updating this issue. It is no longer marked as stale.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[farcaller]

none of the fixes seem to me merged in yet.

this bug bankruptcy bot makes me disappointed...

[stale[bot]]

Thank you for updating this issue. It is no longer marked as stale.

[Ch3LL]

thanks for updating the issue. will add into backlog as a bug. thanks