search

smoeding / puppet-openssl

Use Puppet to manage X.509 certificates, keys and parameter files
BSD 2-Clause "Simplified" License
1 stars 1 forks source link

openssl_signcsr fails to generate cert if extensions is incorrect but reports success to Puppet #5

Closed damonmaria closed 3 years ago

damonmaria commented 3 years ago

If you put an invalid value in for extensions then openssl_signcsr succeeds in Puppet but the actual openssl command has failed and the resulting certificate file does not exist:

Notice: openssl_signcsr: Using configuration from /etc/etcd/ca/ca.cnf
Notice: openssl_signcsr: Check that the request matches the signature
Notice: openssl_signcsr: Signature ok
Notice: openssl_signcsr: The Subject's Distinguished Name is as follows
Notice: openssl_signcsr: commonName            :ASN.1 12:'************'
Notice: openssl_signcsr: ERROR: adding extensions in section default
Notice: openssl_signcsr: 140144353465664:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
Notice: openssl_signcsr: 140144353465664:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=utf8, value=yes
Notice: /Stage[main]/Profile::Etcd_server_cert/Openssl_signcsr[/etc/etcd/server.pem]/ensure: created (corrective)
smoeding commented 3 years ago

I've uploaded release 3.2.0 to the Puppet Forge. That should fix the issue as an error with the internal openssl process should now be propagated to Puppet. Thanks for reporting it!

damonmaria commented 3 years ago

Awesome!