Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509.certificate_managed can write an error message into the cert file instead of failing #41858

Closed
farcaller opened this issue Jun 20, 2017 · 9 comments · Fixed by #56372
Closed

x509.certificate_managed can write an error message into the cert file instead of failing #41858

farcaller opened this issue Jun 20, 2017 · 9 comments · Fixed by #56372
Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE P4 Priority 4 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around ZRelease-Sodium retired label
Milestone
Approved

Comments

@farcaller
Copy link
Contributor

Description of Issue/Question

x509.certificate_managed will corrupt the pem file and then will die with exception.

Setup

Set up x509.certificate_managed for a signing policy that doesn't exist

Steps to Reproduce Issue

Run the state. The generated cert file will contain a single line, e.g.: Signing policy saltca does not exist. instead on pem data.

Additionally, the state will now fail forever with:

Jun 20 20:11:52 sb1 salt-minion[24565]: [ERROR   ] An exception occurred in this state: Traceback (most recent call last):
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/state.py", line 1746, in call
Jun 20 20:11:52 sb1 salt-minion[24565]:     **cdata['kwargs'])
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1704, in wrapper
Jun 20 20:11:52 sb1 salt-minion[24565]:     return f(*args, **kwargs)
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/states/x509.py", line 568, in certificate_managed
Jun 20 20:11:52 sb1 salt-minion[24565]:     'New': __salt__['x509.read_certificate'](certificate=certificate)}
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 536, in read_certificate
Jun 20 20:11:52 sb1 salt-minion[24565]:     cert = _get_certificate_obj(certificate)
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 349, in _get_certificate_obj
Jun 20 20:11:52 sb1 salt-minion[24565]:     text = get_pem_entry(text, pem_type='CERTIFICATE')
Jun 20 20:11:52 sb1 salt-minion[24565]:   File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 472, in get_pem_entry
Jun 20 20:11:52 sb1 salt-minion[24565]:     raise salt.exceptions.SaltInvocationError(errmsg)
Jun 20 20:11:52 sb1 salt-minion[24565]: SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:

Additionally, master will fail to detect the error and will keep recursing until runs out of stack in

      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 2099, in call_chunk
        running = self.call_chunk(low, running, chunks)

Versions Report

$ salt --versions-report
Salt Version:
           Salt: 2016.11.5-120-ge7fc30f

Dependency Versions:
           cffi: 1.10.0
       cherrypy: Not Installed
       dateutil: 2.6.0
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: 0.25.1
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.25.0
         Python: 2.7.13 (default, Apr 20 2017, 12:13:37)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.1
            ZMQ: 4.2.2

System Versions:
           dist:
        machine: x86_64
        release: 4.10.0-22-generic
         system: Linux
        version: Not Installed

$ salt-minion --versions-report
Salt Version:
           Salt: 2016.11.5

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: 1.8.0
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.24.0
           Mako: 1.0.4
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.12+ (default, Sep 17 2016, 12:08:02)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.2
            ZMQ: 4.2.0

System Versions:
           dist: Ubuntu 16.10 yakkety
        machine: x86_64
        release: 4.8.0-45-generic
         system: Linux
        version: Ubuntu 16.10 yakkety
@Ch3LL
Copy link
Contributor

Ch3LL commented Jun 20, 2017

@farcaller can you please share a sanitized version of sls file when running into this issue?

@Ch3LL Ch3LL added the info-needed waiting for more info label Jun 20, 2017
@Ch3LL Ch3LL added this to the Blocked milestone Jun 20, 2017
@nvx
Copy link
Contributor

nvx commented Feb 16, 2018

I've run into the same issue. Seems to occur when someone makes a mistake in the pillar top.sls that makes pillar rendering error out - when this happens instead of aborting it nukes the already existing file with "Signing policy mypolicy does not exist."

mycert:
  x509.certificate_managed:
    - name: /etc/mycert.pem
    - ca_server: server.example.com
    - signing_policy: mypolicy
    - public_key: /etc/mycert.key
    - managed_private_key:
        name: /etc/mycert.key
        bits: 2048
        backup: True

@t0fik t0fik mentioned this issue Mar 14, 2019
Closed
@OrangeDog OrangeDog mentioned this issue Mar 14, 2019
Closed
@glynnforrest glynnforrest mentioned this issue May 5, 2019
Closed
glynnforrest added a commit to glynnforrest/salt that referenced this issue May 7, 2019
@glynnforrest
Rewrite x509.certificate_managed to be easier to use
9a9febd 
The function now displays clearer error messages when a problem occurs
and informative messages when comparing an existing certificate.

test=True is now supported.

It fixes the following errors:

* Certificate errors are written to the target file (saltstack#41858)
* New certificates are created every run (saltstack#52167)

The `managed_private_key` option has been removed due to the added
complexity. The functionality can easily be replicated with an
additional call to `x509.private_key_managed`. According to the comment
at saltstack#39608 (comment)
`managed_private_key` has not worked since at least v2016.11.2.
@glynnforrest glynnforrest mentioned this issue May 7, 2019
Merged
@stale
Copy link

stale bot commented Jun 1, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Jun 1, 2019
@farcaller
Copy link
Contributor Author

none of the fixes seem to me merged in yet.

@stale
Copy link

stale bot commented Jun 1, 2019

Thank you for updating this issue. It is no longer marked as stale.

@stale stale bot removed the stale label Jun 1, 2019
@stale
Copy link

stale bot commented Jan 8, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Jan 8, 2020
@farcaller
Copy link
Contributor Author

none of the fixes seem to me merged in yet.

this bug bankruptcy bot makes me disappointed...

@stale
Copy link

stale bot commented Jan 8, 2020

Thank you for updating this issue. It is no longer marked as stale.

@stale stale bot removed the stale label Jan 8, 2020
@Ch3LL
Copy link
Contributor

Ch3LL commented Jan 9, 2020

thanks for updating the issue. will add into backlog as a bug. thanks

@Ch3LL Ch3LL added Bug broken, incorrect, or confusing behavior severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around P4 Priority 4 and removed info-needed waiting for more info labels Jan 9, 2020
@Ch3LL Ch3LL modified the milestones: Blocked, Approved Jan 9, 2020
@Ch3LL Ch3LL added the Confirmed Salt engineer has confirmed bug/feature - often including a MCVE label Jan 9, 2020
This was referenced Mar 13, 2020
Closed
Merged
glynnforrest added a commit to glynnforrest/salt that referenced this issue Apr 10, 2020
@glynnforrest
Rewrite x509.certificate_managed to be easier to use
e9e49d1 
The function now displays clearer error messages when a problem occurs
and informative messages when comparing an existing certificate.

test=True is now supported.

It fixes saltstack#52180, saltstack#39608, saltstack#41858 and others:

* Error messages from the x509 module calls are written directly to
the certificate file - fixed, the certificate file is only created
when the x509 module calls succeed.
* Certificates are created when no changes are required - fixed, the
comparison logic has been updated.

The `managed_private_key` option has been removed due to the added
complexity. The functionality can easily be replicated with an
additional call to `x509.private_key_managed`. According to the comment
at saltstack#39608 (comment)
`managed_private_key` has not worked since at least v2016.11.2.
dwoz added a commit that referenced this issue May 7, 2020
@dwoz
Merge pull request #56372 from jdsieci/master-x509_fixes
42dccb8 
Fix for #41858
@sagetherage sagetherage added the ZRelease-Sodium retired label label May 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE P4 Priority 4 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around ZRelease-Sodium retired label
Projects
None yet
Milestone
Approved
Development

Successfully merging a pull request may close this issue.

Fix for #41858 jdsieci/salt
4 participants
@farcaller @nvx @Ch3LL @sagetherage