Salt: x509 certificate_managed can't handle managed_private_key
Description of Issue/Question
The x509.certificate_managed state doesn't work when it's configured to handle it's own private key as explained in the docs or shown in the example and it's not existing yet
Setup
# self signed cert
/etc/nginx/certs/localhost.cert.pem:
x509.certificate_managed:
- signing_private_key: /etc/nginx/private/localhost.key.pem
- CN: localhost
- days_valid: 365
- days_remaining: 90
- managed_private_key:
name: /etc/nginx/private/localhost.key.pem
bits: 2048
- require:
- pkg: python-m2crypto
Steps to Reproduce Issue
- configure state as shown above
- make sure key file doesn't exist, but path is writable
- and apply state.
ID: /etc/nginx/certs/localhost.cert.pem
Function: x509.certificate_managed
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/state.py", line 1745, in call
**cdata['kwargs'])
File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1702, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 473, in certificate_managed
new = __salt__['x509.create_certificate'](testrun=True, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 1484, in create_certificate
passphrase=kwargs['signing_private_key_passphrase'])
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 679, in get_public_key
text = get_pem_entry(text)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 472, in get_pem_entry
raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM text not valid:
/etc/nginx/private/localhost.key.pem
Started: 16:29:53.585609
Duration: 99.44 ms
Changes:
Versions Report
Salt Version:
Salt: 2016.11.2
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.9.5
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.24.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.13 (default, Dec 21 2016, 07:16:46)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.4.2
ZMQ: 4.2.0
System Versions:
dist:
machine: x86_64
release: 4.7.4-1-ARCH
system: Linux
version: Not Installed
4s1
All 21 comments
Thanks for reporting this, I have replicated this issue.
Thanks,
Daniel
gtmanfred
on 23 Feb 2017
Confirming on 2016.11.3
blbradley
on 8 Mar 2017
Also have this issue on salt 2016.11.3 (Carbon)
tazaki
on 8 Mar 2017
We also have this issue :(
dawidmalina
on 8 Mar 2017
I you want to bypass this error, make the key in another config and include it the in cert ca. So the example in the doc would become :
```yml
/etc/pki/ca.key:
x509.private_key_managed:
- bits: 4096
- backup: True
- require:
- file: /etc/pki
/etc/pki/ca.crt:
x509.certificate_managed:
- signing_private_key: /etc/pki/ca.key
- CN: ca.example.com
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3650
- days_remaining: 0
- backup: True
- require:
- file: /etc/pki
- x509: /etc/pki/ca.key
`
etiennepouliot
on 9 Mar 2017
This workaround worked for me. Thanks @etiennepouliot !
tazaki
on 9 Mar 2017
I can confirm that this is still a bug in v2017.7.2
The workaround works fine though. Maybe removing the managed_private_key option might be the easiest path forward seeing as though it has be broken for so long (at least v2016.11.2).
jerrykan
on 7 Nov 2017
Still seeing the bug, and the workaround works. Thanks for pointing out how to do the require with x509:
Salt Version:
Salt: 2018.3.1
Dependency Versions:
cffi: Not Installed
cherrypy: 3.5.0
dateutil: 2.4.2
docker-py: Not Installed
gitdb: 0.6.4
gitpython: 1.0.1
ioflo: Not Installed
Jinja2: 2.8
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.21.1
Mako: 1.0.3
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.12 (default, Dec 4 2017, 14:50:18)
python-gnupg: 0.3.8
PyYAML: 3.11
PyZMQ: 15.2.0
RAET: Not Installed
smmap: 0.9.0
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: Ubuntu 16.04 xenial
locale: UTF-8
machine: x86_64
release: 4.4.0-96-generic
system: Linux
version: Ubuntu 16.04 xenial
rnickle
on 20 Jun 2018
Hi
Still present in 2018.3.2
Salt Version:
Salt: 2018.3.2
Dependency Versions:
cffi: Not Installed
cherrypy: 3.5.0
dateutil: 2.5.3
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.9.4
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.24.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.13 (default, Sep 26 2018, 18:42:22)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.4.3
ZMQ: 4.2.1
System Versions:
dist: debian 9
locale: UTF-8
machine: x86_64
release: 4.9.0-8-amd64
system: Linux
version: debian 9
ymasson
on 16 Oct 2018
Hi
Still present in 2018.3.3, and with the fix I have another error, due to Python 3
ID: /etc/pki/ca.crt
Function: x509.certificate_managed
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python3.4/site-packages/salt/state.py", line 1913, in call
**cdata['kwargs'])
File "/usr/lib/python3.4/site-packages/salt/loader.py", line 1898, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python3.4/site-packages/salt/states/x509.py", line 554, in certificate_managed
file_args['contents'] += certificate
TypeError: Can't convert 'bytes' object to str implicitly
Started: 10:50:51.096927
Duration: 21.669 ms
Changes:
Salt Version:
Salt: 2018.3.3
Dependency Versions:
cffi: 1.11.5
cherrypy: unknown
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.10
libgit2: 0.26.5
libnacl: Not Installed
M2Crypto: 0.28.2
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: 2.18
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.26.4
Python: 3.4.9 (default, Aug 14 2018, 21:28:57)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.4.2
ZMQ: 4.1.4
System Versions:
dist: centos 7.5.1804 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-862.14.4.el7.x86_64
system: Linux
version: CentOS Linux 7.5.1804 Core
Poil
on 29 Nov 2018
@saltstack/team-triage ping
gtmanfred
on 29 Nov 2018
ping @Poil any chance you can try the head of 2018.3? I am thinking that these fixes might resolve the issue you pointed out: https://github.com/saltstack/salt/pull/49782
https://github.com/saltstack/salt/pull/49782
and possibly duplicate of https://github.com/saltstack/salt/issues/50637
Ch3LL
on 5 Dec 2018
Yep they fixed it; I forgot to reply here, but that's why I close #50676
Poil
on 5 Dec 2018
Will that be released before the end of the year, or should I work around
it?
Thanks,
Rick
On Wed, Dec 5, 2018 at 11:41 AM Poil notifications@github.com wrote:
Yep they fixed it; I forgot to reply here, but that's why I close #50676
https://github.com/saltstack/salt/pull/50676—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/saltstack/salt/issues/39608#issuecomment-444553798,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AfO5AmYhg90fCeehZTF6f_uydI3EB95Iks5u1_csgaJpZM4MKNwn
.
rnickle
on 5 Dec 2018
I've also push another fix because today the certs are renewed at each run #50734
Poil
on 5 Dec 2018
Seems to still be broken in 2018.3.4.
Salt Version:
Salt: 2018.3.4
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.6.1
docker-py: Not Installed
gitdb: 2.0.3
gitpython: 2.1.8
ioflo: Not Installed
Jinja2: 2.10
libgit2: 0.26.0
libnacl: Not Installed
M2Crypto: 0.32.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.26.2
Python: 3.6.7 (default, Oct 22 2018, 11:32:17)
python-gnupg: 0.4.1
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 2.0.3
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.5
System Versions:
dist: Ubuntu 18.04 bionic
locale: ISO-8859-1
machine: x86_64
release: 4.15.0-46-generic
system: Linux
version: Ubuntu 18.04 bionic
OrangeDog
on 13 Mar 2019
Thanks for the update, I picked up 2019.2.0 a few days ago, was meaning to
test to see if it is fixed in that release.
Rick
On Wed, Mar 13, 2019 at 10:02 AM James Howe notifications@github.com
wrote:
Seems to still be broken in 2018.3.4.
Salt Version:
Salt: 2018.3.4Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.6.1
docker-py: Not Installed
gitdb: 2.0.3
gitpython: 2.1.8
ioflo: Not Installed
Jinja2: 2.10
libgit2: 0.26.0
libnacl: Not Installed
M2Crypto: 0.32.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.26.2
Python: 3.6.7 (default, Oct 22 2018, 11:32:17)
python-gnupg: 0.4.1
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 2.0.3
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.5System Versions:
dist: Ubuntu 18.04 bionic
locale: ISO-8859-1
machine: x86_64
release: 4.15.0-46-generic
system: Linux
version: Ubuntu 18.04 bionic—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/saltstack/salt/issues/39608#issuecomment-472433145,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AfO5AtLb8SGTYt0qNEbRL_te0LxByx4bks5vWQTogaJpZM4MKNwn
.
rnickle
on 13 Mar 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 9 Jan 2020
unstale
OrangeDog
on 9 Jan 2020
Thank you for updating this issue. It is no longer marked as stale.
stale[bot]
on 9 Jan 2020
@sagetherage this can be closed now: As Designed
OrangeDog
on 19 Jun 2020
Related issues
icycle77
·
3Comments
mooperd
·
3Comments
saurabhnemade
·
3Comments
commutecat
·
3Comments
allyunion
·
3Comments
Most helpful comment
I you want to bypass this error, make the key in another config and include it the in cert ca. So the example in the doc would become :
```yml
/etc/pki/ca.key:
x509.private_key_managed:
- bits: 4096
- backup: True
- require:
- file: /etc/pki
/etc/pki/ca.crt:
x509.certificate_managed:
- signing_private_key: /etc/pki/ca.key
- CN: ca.example.com
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3650
- days_remaining: 0
- backup: True
- require:
- file: /etc/pki
- x509: /etc/pki/ca.key
`