-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509.certificate_managed creates new certificate every run #52167
Comments
can you share your state where you are seeing this issue? thanks |
Any |
ping @clinta any chance you can take a look here? Are you seeing this same behavior? |
I am exploring this. I'm seeing an issue related to order of items in the
subject. Right now I'm trying to get the test suite running locally so I
can write some tests to expose this.
…On Mon, Mar 18, 2019, 14:14 Megan Wilhite ***@***.***> wrote:
ping @clinta <https://github.com/clinta> any chance you can take a look
here? Are you seeing this same behavior?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#52167 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADB73QcKhhujsLBWE1yfTcukyRIrNqgtks5vX9eUgaJpZM4btvcs>
.
|
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Could this be related to #50734 (short tags vs long tags, e.g. |
@glynnforrest no, this issue is about it generating new certificates before it does any checks at all. |
Right you are @OrangeDog, I should have looked at the code you linked before commenting. I've ran into too many bugs with @Ch3LL would you be interested in a PR that would significantly change the function code if it kept API compatibility and fixed the outstanding issues? Either way, I will paste the function here when I've got it working. |
Update: I've written a replacement with better error messages that's actually working quite well. I'm hoping to deploy it this week, confirm it solves the issues I've been facing, then submit a PR. |
I just stopped using |
The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True is now supported. It fixes the following errors: * Certificate errors are written to the target file (saltstack#41858) * New certificates are created every run (saltstack#52167) The `managed_private_key` option has been removed due to the added complexity. The functionality can easily be replicated with an additional call to `x509.private_key_managed`. According to the comment at saltstack#39608 (comment) `managed_private_key` has not worked since at least v2016.11.2.
PR is in: #52935 @OrangeDog the rewrite changes how certificates are checked for updates so #52180 may not apply any more. I'd be grateful if you could try out the rewritten function! |
This comment was marked as outdated.
This comment was marked as outdated.
Still not resolved. PR is in progress. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@sagetherage that would also be a good time to look at deduplicating between the tls and x509 states and modules. |
@OrangeDog TCP and x509? |
@s0undt3ch whoops, sorry, TLS not TCP. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Just noting the additional irony of this comment # We don't want generate a new certificate, even in memory,
# for security reasons. given that it generates an additional cert every run, even in test mode (so twice if pre-requried |
The state always creates a new certificate before it's confirmed whether one is needed.
If using a
signing_policy
withcopypath
, this can quickly fill the directory with thousands of certificates that were never used.https://github.com/saltstack/salt/blob/v2018.3.4/salt/states/x509.py#L502
https://github.com/saltstack/salt/blob/v2018.2/salt/states/x509.py#L493
I notice on the develop branch, it's now creating two certificates every time.
https://github.com/saltstack/salt/blob/develop/salt/states/x509.py#L533
The text was updated successfully, but these errors were encountered: