Affected Puppet, Ruby, OS and module versions/distributions
Puppet: 7.28.0
Ruby: 2.7.8
Distribution: Rocky Linux 8.9
Module version: 3.1.0
How to reproduce (e.g Puppet code you use)
Try to create self-signed certificate with parameter key_dir, for example:
openssl::certificate::x509 { $facts[networking][fqdn]:
country => 'DK',
state => 'Denmark',
locality => 'Test',
commonname => $facts[networking][fqdn],
organization => 'company A/S',
unit => 'test',
email => 'admin@test.dk',
days => 3650,
base_dir => '/etc/ssl/certs',
key_dir => '/etc/ssl/private',
force => false,
encrypted => false,
}
What are you seeing
X509_cert is trying to use default key from the same directory with the request and certificate (/etc/ssl/certs). The key is generated in correct directory (/etc/ssl/private)
What behaviour did you expect instead
X509_cert must use the signing key from the parameter key_dir (/etc/ssl/private)
Output log
Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/Openssl::Config[/etc/ssl/certs//host.test.dk.cnf]/File[/etc/ssl/certs//host.test.dk.cnf]/content: content changed '{sha256}8447bb6632d45d40a3eaaceca9aa4cb6adf9aa98998dd463dc65d871b7db6b16' to '{sha256}dee758d609833006021578ebcf715e888c964d1ff047674445be789bc98ebae0'
Info: Openssl::Config[/etc/ssl/certs//host.test.dk.cnf]: Scheduling refresh of X509_request[/etc/ssl/certs//host.test.dk.csr]
Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_request[/etc/ssl/certs//host.test.dk.csr]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_request[/etc/ssl/certs//host.test.dk.csr]: Scheduling refresh of X509_cert[/etc/ssl/certs//host.test.dk.crt]
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Could not evaluate: No such file or directory @ rb_sysopen - /etc/ssl/certs/host.test.dk.key
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Failed to call refresh: Execution of '/bin/openssl x509 -req -days 3650 -in /etc/ssl/certs//host.test.dk.csr -out /etc/ssl/certs//host.test.dk.crt -signkey /etc/ssl/certs/host.test.dk.key -extensions v3_req' returned 1: Signature ok
subject=/C=DK/ST=Denmark/L=Test/O=company A/S/OU=test/CN=host.test.dk/emailAddress=admin@test.dk
Getting Private key
Error opening Private key /etc/ssl/certs/host.test.dk.key
139684502910864:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/ssl/certs/host.test.dk.key','r')
139684502910864:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private key
unable to write 'random state'
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Execution of '/bin/openssl x509 -req -days 3650 -in /etc/ssl/certs//host.test.dk.csr -out /etc/ssl/certs//host.test.dk.crt -signkey /etc/ssl/certs/host.test.dk.key -extensions v3_req' returned 1: Signature ok
subject=/C=DK/ST=Denmark/L=Test/O=company A/S/OU=test/CN=host.test.dk/emailAddress=admin@test.dk
Getting Private key
Error opening Private key /etc/ssl/certs/host.test.dk.key
139684502910864:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/ssl/certs/host.test.dk.key','r')
139684502910864:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private key
unable to write 'random state'
Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/File[/etc/ssl/certs//host.test.dk.crt]: Dependency X509_cert[/etc/ssl/certs//host.test.dk.crt] has failures: true
Any additional information you'd like to impart
Commit a8a98cfa494e1945f798a3d34445826686e26575 broke the behavior.
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
Try to create self-signed certificate with parameter
key_dir, for example:What are you seeing
X509_cert is trying to use default key from the same directory with the request and certificate (
/etc/ssl/certs). The key is generated in correct directory (/etc/ssl/private)What behaviour did you expect instead
X509_cert must use the signing key from the parameter
key_dir(/etc/ssl/private)Output log
Any additional information you'd like to impart
Commit a8a98cfa494e1945f798a3d34445826686e26575 broke the behavior.