Salt: [2018.0rc1] salt.states.x509 now broken
Description of Issue/Question
----------
ID: certificate.authority::private-key
Function: x509.private_key_managed
Name: /salt/pki/ca.key
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/opt/local/lib/python2.7/site-packages/salt/state.py", line 1876, in call
**cdata['kwargs'])
File "/opt/local/lib/python2.7/site-packages/salt/loader.py", line 1823, in wrapper
return f(*args, **kwargs)
File "/opt/local/lib/python2.7/site-packages/salt/states/x509.py", line 303, in private_key_managed
name, bits=bits, passphrase=passphrase, new=new, overwrite=overwrite):
File "/opt/local/lib/python2.7/site-packages/salt/states/x509.py", line 240, in _check_private_key
'The provided passphrase cannot decrypt the private key.')
CommandExecutionError: The provided passphrase cannot decrypt the private key.
Started: 19:28:45.695662
Duration: 7.64 ms
Changes:
----------
Setup
certificate.authority::private-key:
x509.private_key_managed:
- name: {{ certcfg['config']['authority_dir'] }}/ca.key
- bits: 8192
- backup: True
- require:
- file: certificate.authority::directory
Steps to Reproduce Issue
Try and apply a simple state to generate a private key
Versions Report
cronos# salt-call --versions-report
Salt Version:
Salt: 2018.3.0rc1
Dependency Versions:
cffi: 1.9.1
cherrypy: 8.1.0
dateutil: 2.5.3
docker-py: Not Installed
gitdb: 2.0.3
gitpython: 2.1.8
ioflo: 1.7.4
Jinja2: 2.8
libgit2: Not Installed
libnacl: 1.6.1
M2Crypto: 0.22
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: 2.17
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.12 (default, Jan 26 2017, 18:07:59)
python-gnupg: 2.3.1
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: 0.6.8
smmap: 0.9.0
timelib: 0.2.4
Tornado: 4.3
ZMQ: 4.1.4
System Versions:
dist:
locale: UTF-8
machine: i86pc
release: 5.11
system: SunOS
version: Not Installed
Bug
P1
State Module
ZRELEASED - 2018.3.0
fixed-pending-your-verification
severity-critical
severity-medium
sjorge
All 8 comments
I'm able to replicate this using your state. Although the first time i ran it i saw this error instead:
local:
The State execution failed to record the order in which all states were executed. The state return missing data is:
{u'changes': {},
u'comment': u"An exception occurred in this state: 'Changes' should be a dictionary.",
u'name': u'later',
u'result': False}
----------
ID: certificate.authority::private-key
Function: x509.private_key_managed
Name: /etc/ca.key
Result: False
Comment: An exception occurred in this state: 'Changes' should be a dictionary.
Changes:
Summary for local
------------
Succeeded: 0
Failed: 1
------------
Total states run: 1
Total run time: 0.000 ms
But when run multiple times i started seeing your error. we will need to get this fixed up thanks
Ch3LL
on 6 Mar 2018
Good that you are able to replicate it, I did not catch the first one as this was part of my CA setup and the certificate/key pair already existed.
sjorge
on 6 Mar 2018
Found the issue. Unicode strikes against. Got a fix, just looking to add some tests.
garethgreenaway
on 6 Mar 2018
@garethgreenaway cool, I'll try and do another rc1 build with your chances once they land.
This is blocking rolling out rc1 to all my minions.
Pretty sure I will find a few more bugs once I do.
sjorge
on 6 Mar 2018
👍1
With the patch from PR #46401 applied I now error on the state for the certificate instead of the key!
ID: certificate.authority::certificate
Function: x509.certificate_managed
Name: /salt/pki/ca.crt
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/opt/local/lib/python2.7/site-packages/salt/state.py", line 1876, in call
**cdata['kwargs'])
File "/opt/local/lib/python2.7/site-packages/salt/loader.py", line 1823, in wrapper
return f(*args, **kwargs)
File "/opt/local/lib/python2.7/site-packages/salt/states/x509.py", line 493, in certificate_managed
new = __salt__['x509.create_certificate'](testrun=True, **kwargs)
File "/opt/local/lib/python2.7/site-packages/salt/modules/x509.py", line 1495, in create_certificate
name=extname, value=extval, critical=critical, issuer=issuer)
File "/opt/local/lib/python2.7/site-packages/salt/modules/x509.py", line 149, in _new_extension
lhash, ctx, name, value) # pylint: disable=no-member
TypeError: in method 'x509v3_ext_conf', argument 3 of type 'char *'
Started: 14:23:25.086163
Duration: 11.594 ms
Changes:
## manage certificate
certificate.authority::certificate:
x509.certificate_managed:
- name: {{ certcfg['config']['authority_dir'] }}/ca.crt
- signing_private_key: {{ certcfg['config']['authority_dir'] }}/ca.key
- CN: Redacted Root CA
- O: Redacted
- C: BE
- ST: Antwerp
- L: Local Town
- Email: [email protected]
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3650
- days_remaining: 0
- backup: True
- require:
- x509: certificate.authority::private-key
I don't want to publicly publish my whole states for my certificate stuff, I will try to get them to @Ch3LL through private channels.
sjorge
on 8 Mar 2018
ping @garethgreenaway mind taking a look here? Ping me when you are looking and I can send you the files @sjorge sent me.
Ch3LL
on 8 Mar 2018
Was able to duplicate the certificate issue, investigating now.
garethgreenaway
on 8 Mar 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
qiushics
路
3Comments
saurabhnemade
路
3Comments
commutecat
路
3Comments
twangboy
路
3Comments
lhost
路
3Comments