Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] On ubuntu machines, x509.certificate_managed is allocating a new certificate on every run. #59170

Closed
ichilton opened this issue Dec 18, 2020 · 8 comments
Closed

[BUG] On ubuntu machines, x509.certificate_managed is allocating a new certificate on every run. #59170

ichilton opened this issue Dec 18, 2020 · 8 comments
Assignees
@s0undt3ch
Labels
Bug broken, incorrect, or confusing behavior severity-high 2nd top severity, seen by most users, causes major problems
Milestone
Chlorine v3007.0

Comments

@ichilton
Copy link

Description

Most of my hosts are Debian (buster), but I have 2x Ubuntu 20.04 (focal) boxes.

On the ubuntu hosts, x509.certificate_managed is generating a new certificate on every salt run. On the Debian hosts, it does not.

Setup

It's pretty much the setup documented at: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html

/etc/pki/{{ grains['fqdn'] }}.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - x509: /etc/pki/ca.crt

/etc/pki/{{ grains['fqdn'] }}.crt:
  x509.certificate_managed:
    - ca_server: salt-master.mydomain.net
    - signing_policy: mypolicy
    - public_key: /etc/pki/{{ grains['fqdn'] }}.key
    - CN: {{ grains['fqdn'] }}
    - O: MyCorp
    - Email: hostmaster@mydomain.net
    - C: GB
    - L: London
    - days_valid: 90
    - days_remaining: 30
    - backup: True
    - require:
      - x509: /etc/pki/{{ grains['fqdn'] }}.key

x509.conf looks like:

x509_signing_policies:
  mypolicy:
    - minions: '*'
    - signing_private_key: /etc/pki/ca.key
    - signing_cert: /etc/pki/ca.crt
    - O: MyCorp
    - Email: hostmaster@mydomain.net
    - C: GB
    - L: London
    - basicConstraints: "critical CA:false"
    - keyUsage: "critical keyEncipherment"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 90
    - copypath: /etc/pki/issued_certs/

Steps to Reproduce the behavior

On the ubuntu hosts, every time I do a salt run, it generates a new certificate. It seems to think the public key is different, but it is not.

          ID: /etc/pki/myhost.mydomain.net.crt
    Function: x509.certificate_managed
      Result: True
     Comment: Certificate /etc/pki/myhost.mydomain.net.crt is valid and up to date
     Started: 09:55:31.261985
    Duration: 793.287 ms
     Changes:
              ----------
              Certificate:
                  ----------
                  New:
                      ----------
                      Issuer:
                          ----------
                          C:
                              GB
                          CN:
                              salt-master.mydomain.net
                          Email:
                              hostmaster@mydomain.net
                          L:
                              London
                          O:
                              MyCorp
                      Issuer Hash:
                          6A:FE:1B:FF
                      Key Size:
                          4096
                      MD5 Finger Print:
                          BB:D8:C5:7E:83:68:47:6E:6A:28:7D:41:73:3C:B8:AA
                      Not After:
                          2021-03-18 09:55:31
                      Not Before:
                          2020-12-18 09:55:31
                      Public Key:
                          -----BEGIN PUBLIC KEY-----
                          MIICIjANBgkqhkiG9w0BADDEAAOCAg8AMIICCgKCAgEA4oHpjML041bCi1dYcmCs
                          4/TlYWdfxx2BWMaxKKJ3px7fKwNi9sG/lhf54sZNGGrdk0mS+q27JfxzvHII7x/R
                          duBKrNHNf0bztgobtJDIJppRNSWym+xh8Q2y7n1SRcN9OmgANoTVtpkC1zgSpfrL
                          9ky1nptGzc6KQ3ynG8StVula3xCBEPlSRCBdt0gSKiyIIRg7fYJesDXQXGx8r/Ap
                          H2iiKCg5EEU/Ur4jR7E9MfqNRHEjKQUCeqxzjCMembF35msc21/94iWDSHDPf0Mg
                          71EIQ9w9d6upeP0G+bcpW3vHErCcvjFsVFPhpFdN42tYwn3XWv02hVSquCzWYg2p
                          33Rbol9zrc/TI7UOVOTvBtLyL6KC95e2Lwt8DtfQkw9QoTuqiBHvkFcFW8NXt2WW
                          VZHLm+IGfs+xR8nU14mfCajMPA0fgJudXHRZX5ugD5+knSpYJDBaH/Hq1/D1LKwS
                          +D70HXi+BOqlBABRDox5bpRWVohBUeAOVfH7ucHXSw0GynvhCNhQfV30FOneWg9q
                          qm+4BIshTOLAA7PmxxPX3JTgklysXwEt+mCEhsWFY+2z0DxarMYJN8txeZ3w8kfm
                          NZ8NVb7dviaVxTqD8UTbZa8MTPbN2ZbxzdBxVz0wPg1zDkr2iNdIi5nLgV+8DY6r
                          ZJpaok/t2lWkr49tAykPFP8CAwEAAQ==
                          -----END PUBLIC KEY-----
                      SHA-256 Finger Print:
                          51:BA:7E:90:23:13:9B:E3:CF:DA:16:B3:4D:20:6F:10:F1:C9:6F:62:99:19:7D:D2:D7:0F:28:3E:66:F5:C0:97
                      SHA1 Finger Print:
                          6D:63:36:E7:D0:11:D2:28:38:6C:91:6E:14:BA:F0:2A:EE:BA:E0:35
                      Serial Number:
                          14:EF:2F:C9:68:9D:98:C3
                      Subject:
                          ----------
                          C:
                              GB
                          CN:
                              myhost.mydomain.net
                          Email:
                              hostmaster@mydomain.net
                          L:
                              London
                          O:
                              MyCorp
                      Subject Hash:
                          63:67:EF:08
                      Version:
                          3
                      X509v3 Extensions:
                          ----------
                          authorityKeyIdentifier:
                              keyid:DB:1B:BB:C0:93:3C:44:4B:6A:7A:5F:15:BB:C0:B8:25:98:7B:03:DB
                              DirName:/C=GB/CN=salt-master.mydomain.net/emailAddress=hostmaster@mydomain.net/L=London/O=MyCorp
                              serial:6F:87:7E:68:4E:D2:46:9D
                          basicConstraints:
                              critical CA:FALSE
                          keyUsage:
                              critical Key Encipherment
                          subjectAltName:
                              IP Address:1.2.3.4, IP Address:127.0.0.1, IP Address:2000:AA20:123:0:0:0:0:26, IP Address:FE80:0:0:0:250:C2FF:FE46:6C1A
                          subjectKeyIdentifier:
                              82:67:CD:51:6F:A4:F6:25:A6:7C:D9:C1:A7:AA:54:46:D0:87:0D:A8
                  Old:
                      ----------
                      Issuer:
                          ----------
                          C:
                              GB
                          CN:
                              salt-master.mydomain.net
                          Email:
                              hostmaster@mydomain.net
                          L:
                              London
                          O:
                              MyCorp
                      Issuer Hash:
                          6A:FE:1B:FF
                      Key Size:
                          4096
                      MD5 Finger Print:
                          9E:75:EB:38:C5:7E:16:34:82:11:53:A4:D3:ED:1A:7E
                      Not After:
                          2021-03-18 09:55:07
                      Not Before:
                          2020-12-18 09:55:07
                      Public Key:
                          -----BEGIN PUBLIC KEY-----
                          MIICIjANBgkqhkiG9w0BADDEAAOCAg8AMIICCgKCAgEA4oHpjML041bCi1dYcmCs
                          4/TlYWdfxx2BWMaxKKJ3px7fKwNi9sG/lhf54sZNGGrdk0mS+q27JfxzvHII7x/R
                          duBKrNHNf0bztgobtJDIJppRNSWym+xh8Q2y7n1SRcN9OmgANoTVtpkC1zgSpfrL
                          9ky1nptGzc6KQ3ynG8StVula3xCBEPlSRCBdt0gSKiyIIRg7fYJesDXQXGx8r/Ap
                          H2iiKCg5EEU/Ur4jR7E9MfqNRHEjKQUCeqxzjCMembF35msc21/94iWDSHDPf0Mg
                          71EIQ9w9d6upeP0G+bcpW3vHErCcvjFsVFPhpFdN42tYwn3XWv02hVSquCzWYg2p
                          33Rbol9zrc/TI7UOVOTvBtLyL6KC95e2Lwt8DtfQkw9QoTuqiBHvkFcFW8NXt2WW
                          VZHLm+IGfs+xR8nU14mfCajMPA0fgJudXHRZX5ugD5+knSpYJDBaH/Hq1/D1LKwS
                          +D70HXi+BOqlBABRDox5bpRWVohBUeAOVfH7ucHXSw0GynvhCNhQfV30FOneWg9q
                          qm+4BIshTOLAA7PmxxPX3JTgklysXwEt+mCEhsWFY+2z0DxarMYJN8txeZ3w8kfm
                          NZ8NVb7dviaVxTqD8UTbZa8MTPbN2ZbxzdBxVz0wPg1zDkr2iNdIi5nLgV+8DY6r
                          ZJpaok/t2lWkr49tAykPFP8CAwEAAQ==
                          -----END PUBLIC KEY-----
                      SHA-256 Finger Print:
                          04:BA:EA:66:59:5B:0D:C7:93:59:3E:9A:0E:D5:9B:8F:EF:0B:99:DA:64:1F:B3:A1:11:C6:97:44:1A:96:F4:95
                      SHA1 Finger Print:
                          E1:C5:B4:2A:80:6C:58:55:F1:DB:D7:15:95:8A:9C:2A:97:75:14:92
                      Serial Number:
                          67:90:08:17:BD:8B:D0:94
                      Subject:
                          ----------
                          C:
                              GB
                          CN:
                              myhost.mydomain.net
                          Email:
                              hostmaster@mydomain.net
                          L:
                              London
                          O:
                              MYCorp
                      Subject Hash:
                          63:67:EF:08
                      Version:
                          3
                      X509v3 Extensions:
                          ----------
                          authorityKeyIdentifier:
                              keyid:DB:1B:BB:C0:93:3C:44:4B:6A:7A:5F:15:BB:C0:B8:25:98:7B:03:DB
                              DirName:/C=GB/CN=salt-master.mydomain.net/emailAddress=hostmaster@mydomain.net/L=London/O=MyCorp
                              serial:6F:87:7E:68:4E:D2:46:9D
                          basicConstraints:
                              critical CA:FALSE
                          keyUsage:
                              critical Key Encipherment
                          subjectAltName:
                              IP Address:1.2.3.4, IP Address:127.0.0.1, IP Address:2000:AA20:123:0:0:0:0:26, IP Address:FE80:0:0:0:250:C2FF:FE46:6C1A
                          subjectKeyIdentifier:
                              82:67:CD:51:6F:A4:F6:25:A6:7C:D9:C1:A7:AA:54:46:D0:87:0D:A8
              File:
                  ----------
                  diff:
                      ---
                      +++
                      @@ -1,8 +1,8 @@
                       -----BEGIN CERTIFICATE-----
                      -MIIGjDCCBHSgAwIBAgIIZ5AIF72L0JQwDQYJKoZIhvcNAQELBQAwczELMAkGA1UE
                      +MIIGjDCCBHSgAwIBAgIIFO8vyWidmMMwDQYJKoZIhvcNAQELBQAwczELMAkGA1UE
                       BhMCR0IxHjAcBgNVBAMMFXNhbHQtbWFzdGVyLmxvbmFwLm5ldDEjMCEGCSqGSIb3
                       DQEJARYUaG9zdG1hc3RlckBsb25hcC5uZXQxDzANBgNVBAcMBkxvbmRvbjEOMAwG
                      -A1UECgwFTE9OQVAwHhcNMjAxMjE4MDk1NTA3WhcNMjEwMzE4MDk1NTA3WjByMQsw
                      +A1UECgwFTE9OQVAwHhcNMjAxMjE4MDk1NTMxWhcNMjEwMzE4MDk1NTMxWjByMQsw
                       CQYDVQQGEwJHQjEdMBsGA1UEAwwUcG9ydGFsLmRldi5sb25hcC5uZXQxIzAhBgkq
                       hkiG9w0BCQEWFGhvc3RtYXN0ZXJAbG9uYXAubmV0MQ8wDQYDVQQHDAZMb25kb24x
                       DjAMBgNVBAoMBUxPTkFQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
                      @@ -23,15 +23,15 @@
                       dDEjMCEGCSqGSIb3DQEJARYUaG9zdG1hc3RlckBsb25hcC5uZXQxDzANBgNVBAcM
                       BkxvbmRvbjEOMAwGA1UECgwFTE9OQVCCCG+HfmhO0kadMDkGA1UdEQQyMDCHBAU5
                       WxqHBH8AAAGHECoA6yAEAgAAAAAAAAAAACaHEP6AAAAAAAAAAlDC//5GbBowDQYJ
                      -KoZIhvcNAQELBQADggIBALbEDkjmB5dnq+NkreZ2gN5FldZOYtC0hyhhNUFfNOnt
                      -U3xhHAcDxfvv55CWpEmC3ufkwp14kOTxfeNLxLR7hKakakFpTRxdkYd2yActLSTJ
                      -uEl/3NoYeVRTitoH21di5bzncem+3Za1npRmj0rqbSPFgpI7BSqsx8GVw7VW/K/F
                      -h7DcHYggmoOWHE8ItI5yL91d5Gye+TK6N/486XL3vl6NQXasKH3wIJUHtovcGf1q
                      -dZ0dULWjWNvwMWH9nJhNpxCZWaYb8m95aQwhJfJMiKChNsC/KMKQsRdZiJWRKTPd
                      -G7OUoNunoqxWvRaFXc2rZd86OOLYH0DGuy4V0SEb9ugvxC8pRM5kfg8FMjx/8ZOD
                      -hsGvfilAWErySUdbFhVmxp7Eu+ubp4qUpzoqh3mX+uINCaCV3el8PtvNEZf2GXKD
                      -2GdaN+ajIGENs1TngYXq+4OvkgfREbOtdF9/s3nmTTwbV+nhfYmPzzshWTrNLUBo
                      -kzQxxpTyjuggKrnwDVXwhCoLWZhTZ/h1Obr1jag9HbWVC508yM2YNc9MLGvPbCWA
                      -zq8XR7KX+vtmp0Si/1hLyTJ8u81onQw6T/6EjdOWbjcV53Lfd0HHQy8moLxX+ReF
                      -zT3+V8+Lo+U91Y0mPSqpc4W8Z8nRdnQUH4Nl9Pmo7+b8BKr6STet5saY9BFRO/QK
                      +KoZIhvcNAQELBQADggIBABNSqjBgV+0gSrFKp0+hvuxOVsoLkBp9yMOfB6gy66HL
                      +trxi4NFHLOUQXU8zXLFBQgj2Go29Y7xlGGH1AD5KfMN1Ygj+SqKUr3DgxmmVTPyR
                      +vwiY0+ar/Xb2da7pPtsAtdBTxoAsG9Vxkx/LA3OY02OXzYztKFFC2f3Gb2coOEeU
                      +zt1JvYW0HSfeYK471thvg0Lu93wU6S1GUQ6Jv7cgX523IwTcdWF4tZiPUWLJOeAL
                      +BsvVL8Rs4XXgLWXbrUxYNMp4EuJfDgRnOFZL4lnCtxNZ601siHk3YsgrMu0BylED
                      +A77uFXBSgYlCtDyax0+aa6wx6q7N6y8q/SpV8x2rc+pPIPf+bV2OC+MvtmoB993G
                      +P08oB0x5QdrIgZ6FtckPq/2Q8JyGgnIBhLiAdexXjOCxzwnLyFH92aXHP7Ew+7Ff
                      +wbuU4CFFexJ0sq99kljwl/uYF+VxHNbaXcErZlrNcFdCnu6bwEjbcoyFAbNlEVTT
                      +AamIyv2KYD5h41uuJv9rzw1WTntS7SFphkfIg0/lCE3b0kW0OmWf97rCbk6ZJv2u
                      +O2f+rZIhTRDP3qLWraRJQ/xleWqreBjrfXgC5fWsAnPzApeErA4P1Sz82Ks6iXya
                      +4ksmbGXjf/noBcsp10nTrmQqNlj9tBVGwDo2wWRP9nIZCULb8v6rQmgneDFjBGmk
                       -----END CERTIFICATE-----
              Status:
                  ----------
                  New:
                      Certificate is valid and up to date
                  Old:
                      Certificate properties are different: Public Key

Expected behavior

It should only generate a certificate if one doesn't exist or is close to expiry. This works as expected on my Debian hosts, but not my Ubuntu hosts.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
root@salt-master:~# salt --versions-report
Salt Version:
          Salt: 3002.2

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: 2.7.3
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.10
       libgit2: Not Installed
      M2Crypto: 0.31.0
          Mako: Not Installed
       msgpack: 0.5.6
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.6.1
        pygit2: Not Installed
        Python: 3.7.3 (default, Jul 25 2020, 13:03:44)
  python-gnupg: Not Installed
        PyYAML: 3.13
         PyZMQ: 17.1.2
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.1

System Versions:
          dist: debian 10 buster
        locale: UTF-8
       machine: x86_64
       release: 4.19.0-12-amd64
        system: Linux
       version: Debian GNU/Linux 10 buster

Additional context
Add any other context about the problem here.
@ichilton ichilton added the Bug broken, incorrect, or confusing behavior label Dec 18, 2020
@OrangeDog
Copy link
Contributor

OrangeDog commented Dec 19, 2020
edited
Loading

See also #52180

@maltris
Copy link

maltris commented Jan 28, 2021

I can confirm this problem after upgrading to 20.04 with 3001.4.

@sagetherage sagetherage added severity-high 2nd top severity, seen by most users, causes major problems Silicon v3004.0 Release code name and removed needs-triage labels Feb 9, 2021
@sagetherage sagetherage added this to the Silicon milestone Feb 9, 2021
@sagetherage sagetherage removed their assignment Apr 30, 2021
@piterpunk
Copy link

Ok, I thought this should be a good way to kill a couple issues with a single patch and just begun my tests. Did the test with Debian 10 master and minion and an Ubuntu 20.04 minion.

For both cases I installed Salt with this procedure:

apt-get update 
apt-get install curl
mkdir -p /etc/salt/minion.d
echo "master: ip.of.my.master" > /etc/salt/minion.d/master.conf
curl -L https://bootstrap.saltstack.com -o install_salt.sh
sh install_salt.sh -P -M -x python3

In the minion-only machine the last line ommits the -M

To have the x509 module working I also had to install the package python3-m2crypto.

To do the test I used this state:

/etc/pki/www.key:
  x509.private_key_managed:
    - name: /etc/pki/www.key
    - bits: 4096
    - backup: True

/etc/pki/www.crt:
  x509.certificate_managed:
    - ca_server: my.ca.server
    - signing_policy: www
    - public_key: /etc/pki/www.key
    - CN: www.example.com
    - O: Laalaa
    - Email: tinky@winky
    - C: PO
    - L: Dipsy
    - days_valid: 90
    - days_remaining: 30
    - backup: True
    - require:
      - /etc/pki/www.key

In the first run the certificate was created, as stated by the original poster:

# salt-call state.apply www
...................................++++
.....................................................++++
local:
----------
          ID: /etc/pki/www.key
    Function: x509.private_key_managed
      Result: True
     Comment: File /etc/pki/www.key updated
     Started: 23:42:29.244449
    Duration: 572.106 ms
     Changes:   
              ----------                                                                                                            
              new:
                  New private key generated
----------
          ID: /etc/pki/www.crt
    Function: x509.certificate_managed
      Result: True
     Comment: Certificate /etc/pki/www.crt is valid and up to date
     Started: 23:42:29.817176
    Duration: 380.115 ms
     Changes:   
              ----------                                                                                                            
              Certificate:
                  ----------
                  New:
                      ----------
                      Issuer:
                          ----------
                          CN:
                              ca.example.com
                          C:
                              US
                          L:
                              Salt Lake City
                          SP:
                              Utah
                      Issuer Hash:
                          51:86:ED:5C
                      Key Size:
                          4096
                      MD5 Finger Print:
                          4E:64:66:DF:74:AA:35:C7:D7:C3:98:73:F9:9C:20:9F
                      Not After:
                          2021-08-16 23:42:30
                      Not Before:
                          2021-05-18 23:42:30
                      Public Key:
                          -----BEGIN PUBLIC KEY-----
                          MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0383FXCRVTx/7xSTIk24
                          psrQhXFBK6CKx0NJdLvR8cIsLozRB10BeOpylA2i4RgYrK6CrHnUN6Cs6s2mpH+G
                          5qRE/JYlOYAC8nC4WvZyt6jTKtrAKsqNlamV6ca7FjPhnSElrNcnGodleJG66c7I
                          VejhmlEWrzxryTfnRlvU6UrjTUfaQFeKZAxSlPY5RvDnMmAp8z1i6DkLU/Veav01
                          51iZhAnxL8/lrV+FD1tdQBrNqhKHv3JEdffzsB0qT/wMc/gKDuww8lpC/L20tWw6
                          T8MMO+NmfDeQlFgPEAMvZ0uptQfq2rpCmfeQmsncse1vKEVE0J4gKcgLNV21Rnu+
                          r7Eyvag1TQdHXdY7sACS8IYSscxeA+8C55RO97rv4MYv1Boi6HiNrm2fZ30MCFsN
                          QFLjgR7yCLHnoclhzyAQeVaxweJ9DNV6nMDJzwC8Cv6SLNDfeaxBeB6NTHWoPhqK
                          iceh1fJoCdnJfiDMlGXWxi1UzDcPXjJFsEp9vK1WruVC8cO+8uPjgnolEoWFvqud
                          yyVVum6MKMaxrdUOQuFInXzrSTy0PAJLpMPyIWhh5YN45jT7OPCFoDBLRlNo6GcI
                          1JpCtHBSlWWMtqA9KpqgnTjkuGktRWeZDaj2gG7TVhskdJh8MALkD1Ne30FXojvk
                          jAq9BCW0dSHs0D8t7+1EfvUCAwEAAQ==
                          -----END PUBLIC KEY-----
                      SHA-256 Finger Print:
                          40:20:42:F0:3B:48:A6:A3:C5:84:84:98:D3:CC:35:F3:01:A2:EB:2C:0A:37:18:F8:2B:20:B3:68:0F:95:F2:F1
                      SHA1 Finger Print:
                          7A:F4:CD:0B:2E:10:2E:9B:A5:EC:2C:D7:4E:9F:71:22:AB:8F:8E:11
                      Serial Number:
                          54:52:03:69:3F:7A:77:D6
                      Subject:
                          ----------
                          CN:
                              www.example.com
                          C:
                              US
                          L:
                              Salt Lake City
                          SP:
                              Utah
                          O:
                              Laalaa
                          Email:
                              tinky@winky
                      Subject Hash:
                          E7:6E:A3:7A
                      Version:
                          3
                      X509v3 Extensions:
                          ----------
                          basicConstraints:
                              critical CA:FALSE
                          keyUsage:
                              critical Key Encipherment
                          subjectKeyIdentifier:
                              BA:BF:73:42:F1:DC:CC:54:26:FB:CE:2F:AC:41:BF:16:D2:17:A8:15
                          authorityKeyIdentifier:
                              keyid:7E:8E:78:B8:94:EE:D7:8F:B8:E1:23:B9:08:CA:6B:F4:6A:E8:6C:C3
                              DirName:/C=US/CN=ca.example.com/L=Salt Lake City/ST=Utah
                              serial:24:F0:EA:25:0E:64:22:ED
                  Old:
                      ----------
              File:
                  ----------
                  diff:
                      New file
              Status:
                  ----------
                  New:
                      Certificate is valid and up to date
                  Old:
                      /etc/pki/www.crt does not exist

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time: 952.221 ms

But, contrary to this report, the second run did as it should be, recognizing that the certificate already exists and didn't creating a new one:

# salt-call state.apply www
[WARNING ] State for file: /etc/pki/www.crt - Neither 'source' nor 'contents' nor 'contents_pillar' nor 'contents_grains' was defined, yet 'replace' was set to 'True'. As there is no source to replace the file with, 'replace' has been set to 'False' to avoid reading the file unnecessarily.
local:
----------
          ID: /etc/pki/www.key
    Function: x509.private_key_managed
      Result: True
     Comment: File /etc/pki/www.key is in the correct state
     Started: 23:42:40.797810
    Duration: 28.936 ms
     Changes:   
----------
          ID: /etc/pki/www.crt
    Function: x509.certificate_managed
      Result: True
     Comment: Certificate /etc/pki/www.crt is valid and up to date
     Started: 23:42:40.827387
    Duration: 373.348 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time: 402.284 ms

I guess this was fixed or in the modules used by Ubuntu or by some changes in Salt between 3001.4 and 3003, probably ade7a09.

minion: salt-call --versions-report Salt Version: Salt: 3003

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.10.1
libgit2: Not Installed
M2Crypto: 0.31.0
Mako: Not Installed
msgpack: 0.6.2
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: 3.6.1
pygit2: Not Installed
Python: 3.8.5 (default, Jan 27 2021, 15:41:15)
python-gnupg: 0.4.5
PyYAML: 5.3.1
PyZMQ: 18.1.1
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.2

System Versions:
dist: ubuntu 20.04 focal
locale: utf-8
machine: x86_64
release: 5.4.0-72-generic
system: Linux
version: Ubuntu 20.04 focal

master/minion: salt-call --versions-report Salt Version: Salt: 3003

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
gitdb: 2.0.5
gitpython: 2.1.11
Jinja2: 2.10
libgit2: Not Installed
M2Crypto: 0.31.0
Mako: Not Installed
msgpack: 0.5.6
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: 3.6.1
pygit2: Not Installed
Python: 3.7.3 (default, Jan 22 2021, 20:04:44)
python-gnupg: Not Installed
PyYAML: 3.13
PyZMQ: 17.1.2
smmap: 2.0.5
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.1

System Versions:
dist: debian 10 buster
locale: UTF-8
machine: x86_64
release: 4.19.0-16-amd64
system: Linux
version: Debian GNU/Linux 10 buster

Am I doing something wrong in the tests? Should I test against the git version?

@piterpunk
Copy link

@krionbsd as you are assigned to #52167 and these issues seems to be related.

@sagetherage sagetherage modified the milestones: Silicon, Approved Aug 12, 2021
@Ch3LL Ch3LL added Sulfur v3006.0 release code name and version and removed Silicon v3004.0 Release code name labels Oct 25, 2021
@Ch3LL Ch3LL modified the milestones: Approved, Sulphur v3006.0 Oct 25, 2021
@pgporada

This comment was marked as off-topic.

Sign in to view
@OrangeDog

This comment was marked as outdated.

Sign in to view
@OrangeDog
Copy link
Contributor

OrangeDog commented Aug 30, 2022
edited
Loading

I guess this was fixed [...] by some changes in Salt between 3001.4 and 3003, probably ade7a09.

That was released in 3001.1, so probably not. Also, OP reported this for 3002.2.

@waynew waynew removed the Sulfur v3006.0 release code name and version label Dec 16, 2022
@nicholasmhughes
Copy link
Collaborator

Closing this issue since:

  • the reported bug is for a version that has reached end-of-support
  • the x509_v2 modules have been introduced, and may fix this issue as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@s0undt3ch s0undt3ch

Labels
Bug broken, incorrect, or confusing behavior severity-high 2nd top severity, seen by most users, causes major problems
Projects
None yet
Milestone
Chlorine v3007.0
Development

No branches or pull requests