-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509.certificate_managed can write an error message into the cert file instead of failing #41858
Comments
@farcaller can you please share a sanitized version of sls file when running into this issue? |
I've run into the same issue. Seems to occur when someone makes a mistake in the pillar top.sls that makes pillar rendering error out - when this happens instead of aborting it nukes the already existing file with "Signing policy mypolicy does not exist."
|
The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True is now supported. It fixes the following errors: * Certificate errors are written to the target file (saltstack#41858) * New certificates are created every run (saltstack#52167) The `managed_private_key` option has been removed due to the added complexity. The functionality can easily be replicated with an additional call to `x509.private_key_managed`. According to the comment at saltstack#39608 (comment) `managed_private_key` has not worked since at least v2016.11.2.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
none of the fixes seem to me merged in yet. |
Thank you for updating this issue. It is no longer marked as stale. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
none of the fixes seem to me merged in yet. this bug bankruptcy bot makes me disappointed... |
Thank you for updating this issue. It is no longer marked as stale. |
thanks for updating the issue. will add into backlog as a bug. thanks |
The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True is now supported. It fixes saltstack#52180, saltstack#39608, saltstack#41858 and others: * Error messages from the x509 module calls are written directly to the certificate file - fixed, the certificate file is only created when the x509 module calls succeed. * Certificates are created when no changes are required - fixed, the comparison logic has been updated. The `managed_private_key` option has been removed due to the added complexity. The functionality can easily be replicated with an additional call to `x509.private_key_managed`. According to the comment at saltstack#39608 (comment) `managed_private_key` has not worked since at least v2016.11.2.
Description of Issue/Question
x509.certificate_managed
will corrupt the pem file and then will die with exception.Setup
Set up
x509.certificate_managed
for a signing policy that doesn't existSteps to Reproduce Issue
Run the state. The generated cert file will contain a single line, e.g.:
Signing policy saltca does not exist.
instead on pem data.Additionally, the state will now fail forever with:
Additionally, master will fail to detect the error and will keep recursing until runs out of stack in
Versions Report
The text was updated successfully, but these errors were encountered: