Salt: x509.sign_remote_certificate not working after upgrade to 2019.2.0
Description of Issue/Question
x509.sign_remote_certificate not working after upgrade to 2019.2.0
Setup
ca server minion config /etc/salt/minion.d/signing_policies.conf:
x509_signing_policies:
ca_policy:
- minions: '*'
- signing_private_key: /path/to/key/file
- signing_cert: /path/to/cert/file
- O: Test Company
- basicConstraints: "CA:false"
- keyUsage: "critical digitalSignature, keyEncipherment"
- extendedKeyUsage: "critical serverAuth, clientAuth"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid
- days_valid: 730
- copypath: /path/to/certs/dir/
Managed certificate state:
{% from "test/map.jinja" import test with context %}
test_crt:
x509.certificate_managed:
- name: {{ test.crt }}
- ca_server: {{ test.ca_server }}
- signing_policy: ca_policy
- public_key: {{ test.key }}
- CN: {{ grains['id'] }}
- days_remaining: 30
- backup: True
test/map.jinja:
{% import_yaml "test/defaults.yaml" as default_settings %}
{% set test = salt['pillar.get'](
'test',
default=default_settings.test,
merge=True)
%}
test/defaults.yaml:
test:
key: /etc/pki/tls/private/test.key
crt: /etc/pki/tls/certs/test.crt
ca_server: 127.0.0.1
pillar of minion:
test:
ca_server: ca.server.hostname
Steps to Reproduce Issue
Execute on master:
salt 'minion' state.apply
Getting errors:
ID: test_crt
Function: x509.certificate_managed
Name: /etc/pki/tls/certs/test.crt
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
**cdata['kwargs'])
File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
'New': __salt__['x509.read_certificate'](certificate=certificate)}
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
cert = _get_certificate_obj(certificate)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
text = get_pem_entry(text, pem_type='CERTIFICATE')
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
Started: 15:45:45.250191
Duration: 720.156 ms
Changes:
Master log:
2019-02-27 15:45:45,267 [salt.transport.zeromq:132 ][DEBUG ][27686] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'salt.host.local_master', u'tcp: //**.**.**.**:4506', u'clear')
2019-02-27 15:45:45,267 [salt.transport.zeromq:203 ][DEBUG ][27686] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,267 [salt.transport.zeromq:1178][DEBUG ][27686] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,271 [salt.utils.event :742 ][DEBUG ][27687] Sending event: tag = 20190227154545270710; data = {u'_stamp': '2019-02-27T13:45:45.271095', u'minions': [u'ca.host.name']}
2019-02-27 15:45:45,271 [salt.utils.event :742 ][DEBUG ][27687] Sending event: tag = salt/job/20190227154545270710/new; data = {u'tgt_type': 'glob', u'jid': u'20190227154545270710', u'user': 'root', u'tgt': 'ca.host.name', u'arg': [{"u'CN'": "u'minion.host.name'", "u'signing_policy'": "u'ca_policy'", "u'public_key'": "u'-----BEGIN PUBLIC KEY-----******************************-----END PUBLIC KEY-----'", 'testrun': True, "u'public_key_passphrase'": 'None'}], u'fun': 'x509.sign_remote_certificate', u'missing': [], u'_stamp': '2019-02-27T13:45:45.271621', u'minions': [u'ca.host.name']}
2019-02-27 15:45:45,272 [salt.loaded.int.returner.local_cache:249 ][DEBUG ][27687] Adding minions for job 20190227154545270710: [u'ca.host.name']
2019-02-27 15:45:45,272 [salt.master :2345][INFO ][27687] User root Published command x509.sign_remote_certificate with jid 20190227154545270710
2019-02-27 15:45:45,272 [salt.master :2353][DEBUG ][27687] Published command details {u'tgt_type': 'glob', u'jid': u'20190227154545270710', u'tgt': 'ca.host.name', u'ret': '', u'user': 'root', u'arg': [{"u'CN'": "u'minion.host.name'", "u'signing_policy'": "u'ca_policy'", "u'public_key'": "u'-----BEGIN PUBLIC KEY-----*****************************-----END PUBLIC KEY-----'", 'testrun': True, "u'public_key_passphrase'": 'None'}], u'fun': 'x509.sign_remote_certificate', u'id': 'minion.host.name'}
2019-02-27 15:45:45,272 [salt.transport.zeromq:1012][DEBUG ][27687] Signing data packet
2019-02-27 15:45:45,273 [salt.crypt :199 ][DEBUG ][27687] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,273 [salt.crypt :224 ][DEBUG ][27687] salt.crypt.sign_message: Signing message.
2019-02-27 15:45:45,274 [salt.transport.zeromq:1034][DEBUG ][27687] Sending payload to publish daemon. jid=20190227154545270710 size=1092
2019-02-27 15:45:45,274 [salt.transport.zeromq:1039][DEBUG ][27687] Sent payload to publish daemon.
2019-02-27 15:45:45,280 [salt.transport.zeromq:895 ][DEBUG ][27667] Publish daemon received payload. size=1092
2019-02-27 15:45:45,281 [salt.transport.zeromq:893 ][DEBUG ][27667] Publish daemon getting data from puller ipc:///var/run/salt/master/publish_pull.ipc
2019-02-27 15:45:45,281 [salt.transport.zeromq:227 ][DEBUG ][27686] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,284 [salt.crypt :207 ][DEBUG ][27675] salt.crypt.get_rsa_pub_key: Loading public key
2019-02-27 15:45:45,319 [salt.utils.job :68 ][INFO ][27674] Got return from ca.host.name for job 20190227154545270710
2019-02-27 15:45:45,319 [salt.utils.event :742 ][DEBUG ][27674] Sending event: tag = salt/job/20190227154545270710/ret/ca.host.name; data = {'fun_args': [{'testrun': True, "u'public_key'": "u'-----BEGIN PUBLIC KEY-----***********************************-----END PUBLIC KEY-----'", "u'signing_policy'": "u'ca_policy'", "u'public_key_passphrase'": 'None', "u'CN'": "u'minion.host.name'"}], 'jid': '20190227154545270710', 'return': 'signing_policy must be specified', 'retcode': 0, 'success': True, 'cmd': '_return', u'_stamp': '2019-02-27T13:45:45.319394', 'fun': 'x509.sign_remote_certificate', 'id': 'ca.host.name'}
CA log:
2019-02-27 15:45:45,282 [salt.minion :1465][INFO ][6880] User root Executing command x509.sign_remote_certificate with jid 20190227154545270710
2019-02-27 15:45:45,283 [salt.minion :1472][DEBUG ][6880] Command details {u'tgt_type': u'glob', u'jid': u'20190227154545270710', u'tgt': u'ca.host.name', u'ret': u'',
u'user': u'root', u'arg': [{u"u'CN'": u"u'minion.host.name'", u"u'signing_policy'": u"u'ca_policy'", u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----**********************-----END PUBLIC KEY-----'", u'testrun': True, u"u'public_key_passphrase'": u'None'}], u'fun': u'x509.sign_remote_certificate', u'id': u'minion.host.name'}
2019-02-27 15:45:45,299 [salt.minion :1605][INFO ][25562] Starting a new job 20190227154545270710 with PID 25562
2019-02-27 15:45:45,303 [salt.utils.lazy :107 ][DEBUG ][25562] Could not LazyLoad {0}.allow_missing_func: '{0}.allow_missing_func' is not available.
2019-02-27 15:45:45,307 [salt.utils.lazy :104 ][DEBUG ][25562] LazyLoaded x509.sign_remote_certificate
2019-02-27 15:45:45,308 [salt.minion :767 ][DEBUG ][25562] Minion return retry timer set to 7 seconds (randomized)
2019-02-27 15:45:45,308 [salt.minion :1941][INFO ][25562] Returning information for job: 20190227154545270710
2019-02-27 15:45:45,308 [salt.transport.zeromq:132 ][DEBUG ][25562] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'ca.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,310 [salt.crypt :463 ][DEBUG ][25562] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'ca.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,311 [salt.transport.zeromq:203 ][DEBUG ][25562] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,311 [salt.transport.zeromq:1178][DEBUG ][25562] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,321 [salt.transport.zeromq:227 ][DEBUG ][25562] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,322 [salt.minion :1783][DEBUG ][25562] minion return: {u'fun_args': [{u"u'CN'": u"u'minion.host.name'", u"u'signing_policy'": u"u'ca_policy'", u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----**********************-----END PUBLIC KEY-----'", u'testrun': True, u"u'public_key_passphrase'": u'None'}], u'jid': u'20190227154545270710', u'return': u'signing_policy must be specified', u'retcode': 0, u'success': True, u'fun': u'x509.sign_remote_certificate'}
Minion log:
2019-02-27 15:45:45,250 [salt.state :1819][INFO ][7711] Running state [/etc/pki/tls/certs/test.crt] at time 15:45:45.250190
2019-02-27 15:45:45,250 [salt.state :1852][INFO ][7711] Executing state x509.certificate_managed for [/etc/pki/tls/certs/test.crt]
2019-02-27 15:45:45,255 [salt.loaded.int.module.publish:108 ][INFO ][7711] Publishing 'x509.sign_remote_certificate' to tcp://**.**.**.**:4506
2019-02-27 15:45:45,255 [salt.crypt :1157][DEBUG ][7711] Re-using SAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,256 [salt.crypt :199 ][DEBUG ][7711] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,256 [salt.crypt :797 ][DEBUG ][7711] Loaded minion key: /etc/salt/pki/minion/minion.pem
2019-02-27 15:45:45,260 [salt.transport.zeromq:132 ][DEBUG ][7711] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp:/
/**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,260 [salt.crypt :463 ][DEBUG ][7711] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506
')
2019-02-27 15:45:45,261 [salt.transport.zeromq:203 ][DEBUG ][7711] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,261 [salt.transport.zeromq:1178][DEBUG ][7711] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,554 [salt.utils.lazy :104 ][DEBUG ][7565] LazyLoaded list_match.match
2019-02-27 15:45:45,555 [salt.minion :1465][INFO ][7565] User sudo_testuser Executing command saltutil.find_job with jid 20190227154545546145
2019-02-27 15:45:45,555 [salt.minion :1472][DEBUG ][7565] Command details {u'tgt_type': u'list', u'jid': u'20190227154545546145', u'tgt': [u'minion.host.name']
, u'ret': u'', u'user': u'sudo_testuser', u'arg': [u'20190227154540489597'], u'fun': u'saltutil.find_job'}
2019-02-27 15:45:45,598 [salt.transport.zeromq:227 ][DEBUG ][7711] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,600 [salt.loaded.int.module.publish:108 ][INFO ][7711] Publishing 'x509.sign_remote_certificate' to tcp://**.**.**.**:4506
2019-02-27 15:45:45,600 [salt.crypt :1157][DEBUG ][7711] Re-using SAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,600 [salt.crypt :199 ][DEBUG ][7711] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,600 [salt.crypt :797 ][DEBUG ][7711] Loaded minion key: /etc/salt/pki/minion/minion.pem
2019-02-27 15:45:45,604 [salt.transport.zeromq:132 ][DEBUG ][7711] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,604 [salt.crypt :463 ][DEBUG ][7711] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,605 [salt.transport.zeromq:203 ][DEBUG ][7711] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,605 [salt.transport.zeromq:1178][DEBUG ][7711] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,589 [salt.minion :1605][INFO ][7840] Starting a new job 20190227154545546145 with PID 7840
2019-02-27 15:45:45,647 [salt.utils.lazy :107 ][DEBUG ][7840] Could not LazyLoad {0}.allow_missing_func: '{0}.allow_missing_func' is not available.
2019-02-27 15:45:45,649 [salt.utils.lazy :104 ][DEBUG ][7840] LazyLoaded saltutil.find_job
2019-02-27 15:45:45,650 [salt.minion :767 ][DEBUG ][7840] Minion return retry timer set to 7 seconds (randomized)
2019-02-27 15:45:45,650 [salt.minion :1941][INFO ][7840] Returning information for job: 20190227154545546145
2019-02-27 15:45:45,651 [salt.transport.zeromq:132 ][DEBUG ][7840] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,651 [salt.crypt :463 ][DEBUG ][7840] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,652 [salt.transport.zeromq:203 ][DEBUG ][7840] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,652 [salt.transport.zeromq:1178][DEBUG ][7840] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,662 [salt.transport.zeromq:227 ][DEBUG ][7840] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,664 [salt.minion :1783][DEBUG ][7840] minion return: {u'fun_args': [u'20190227154540489597'], u'jid': u'20190227154545546145', u'return': {'tgt_type': 'glob', 'jid': '20190227154540489597', 'tgt': 'minion.host.name', 'pid': 7711, 'ret': '', 'user': 'sudo_testuser', 'arg': [], 'fun': 'state.apply'}, u'retcode': 0, u'success': True, u'fun': u'saltutil.find_job'}
2019-02-27 15:45:45,967 [salt.transport.zeromq:227 ][DEBUG ][7711] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,969 [salt.state :1939][DEBUG ][7711] An exception occurred in this state: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
**cdata['kwargs'])
File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
'New': __salt__['x509.read_certificate'](certificate=certificate)}
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
cert = _get_certificate_obj(certificate)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
text = get_pem_entry(text, pem_type='CERTIFICATE')
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
2019-02-27 15:45:45,970 [salt.state :322 ][ERROR ][7711] An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
**cdata['kwargs'])
File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
'New': __salt__['x509.read_certificate'](certificate=certificate)}
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
cert = _get_certificate_obj(certificate)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
text = get_pem_entry(text, pem_type='CERTIFICATE')
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
2019-02-27 15:45:45,970 [salt.state :1997][INFO ][7711] Completed state [/etc/pki/tls/certs/test.crt] at time 15:45:45.970347 (duration_in_ms=720.156)
Versions Report
Master:
Salt Version:
Salt: 2019.2.0
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.31.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.5.1.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core
CA:
Salt Version:
Salt: 2019.2.0
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.31.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.5.1.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core
Minion:
Salt Version:
Salt: 2019.2.0
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.31.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.5.1.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core
eimantaszd
😕1
All 15 comments
I'm seeing the same issue here:
Salt Version:
Salt: 2019.2.0
Dependency Versions:
cffi: 1.11.5
cherrypy: Not Installed
dateutil: 2.6.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.10
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.27.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: 2.18
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.15rc1 (default, Nov 12 2018, 14:31:15)
python-gnupg: 0.4.1
PyYAML: 3.13
PyZMQ: 16.0.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.5
System Versions:
dist: Ubuntu 18.04 bionic
locale: UTF-8
machine: x86_64
release: 4.15.0-45-generic
system: Linux
version: Ubuntu 18.04 bionic
robinsmidsrod
on 28 Feb 2019
I'm experiencing this too, I had to revert my minions to 2018.3.3.
ndobbs
on 1 Mar 2019
Any update on this? It is still blocking our ability to upgrade to the 2019.2 branch.
robinsmidsrod
on 11 Mar 2019
Same issue here. Oddly, specifying subjectAltName causes it to succeed for me.
Edit: You need to set the SAN to an RID value such as 'RID:1.2.3.4', see below.
cheald
on 13 Mar 2019
👍1
This is a pretty big issue for us as we manage our vpn servers with it. I had to revert to 2018.3.3 to make it work again.
anitakrueger
on 20 Mar 2019
👍4
Unfortunately this is becoming quite the issue for us, because now that the vpn server minion is running on 2018.3.3 and the master running on 2019.2.0 it randomly kills the salt-minion and I see this in the log:
2019-03-27 07:10:12,910 [salt.utils.parsers ][WARNING ] Minion received a SIGTERM. Exiting.
I would rather not revert our 220 minions back to 2018.3.3.
anitakrueger
on 27 Mar 2019
Any updates on this one?
TOoSmOotH
on 29 Mar 2019
An elaboration on my workaround. It appears that setting just any subjectAltName doesn't work, a Registered ID is specifically needed.
/etc/pki/openvpn_clients/certs/{{cert_name}}.crt:
x509.certificate_managed:
- ca_server: {{ pki.ca_server }}
- signing_policy: openvpn-client
- public_key: /etc/pki/openvpn_clients/keys/{{ cert_name }}.key
- CN: {{ cert_name }}
- subjectAltName: 'RID:1.2.3.4' # <-- this is the magic sauce
- backup: True
- managed_private_key:
name: /etc/pki/openvpn_clients/keys/{{ cert_name }}.key
bits: 4096
backup: True
I don't know _why_ it makes it work, but I noticed this after my SearchGuard certs worked (which use RID 1.2.3.4.5.5 to identify them as a special class of cert), while others didn't. Providing the bogus 1.2.3.4 RID SAN allows Salt to properly manage the certs.
cheald
on 29 Mar 2019
The RID in the SAN does seem to fix it.
Here are the args going into the sign_remove_certificate function without the SAN:
2019-03-29 21:07:51,621 [salt.loader.10.0.2.15.int.module.x509:86 ][DEBUG ][660] Calling: sign_remote_certificate {u"u'public_key_passphrase'": u'None', u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----'", u"u'signing_policy'": u"u'www'", u"u'CN'": u"u'www.example.com'"}, __pub_user=u'root', __pub_arg=[{u"u'public_key_passphrase'": u'None', u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----'", u"u'signing_policy'": u"u'www'", u"u'CN'": u"u'www.example.com'"}], __pub_id=u'nginx', __pub_fun=u'x509.sign_remote_certificate', __pub_jid=u'20190329210751512546', __pub_tgt=u'master', __pub_tgt_type=u'glob', __pub_ret=u''
2019-03-29 21:07:51,622 [salt.loader.10.0.2.15.int.module.x509:88 ][DEBUG ][660] 'sign_remote_certificate'Returned: u'signing_policy must be specified'
and with:
2019-03-29 21:08:17,720 [salt.loader.10.0.2.15.int.module.x509:86 ][DEBUG ][820] Calling: sign_remote_certificate u"{u'signing_policy': u'www', u'public_key': u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----', u'CN': u'www.example.com', u'subjectAltName': u'RID:1.2.3.4', u'public_key_passphrase': None, 'testrun': True}", __pub_user=u'root', __pub_arg=[u"{u'signing_policy': u'www', u'public_key': u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----', u'CN': u'www.example.com', u'subjectAltName': u'RID:1.2.3.4', u'public_key_passphrase': None, 'testrun': True}"], __pub_id=u'nginx', __pub_fun=u'x509.sign_remote_certificate', __pub_jid=u'20190329210817425304', __pub_tgt=u'master', __pub_tgt_type=u'glob', __pub_ret=u''
2019-03-29 21:08:17,732 [salt.utils.lazy :104 ][DEBUG ][820] LazyLoaded pillar.get
2019-03-29 21:08:17,734 [salt.utils.lazy :104 ][DEBUG ][820] LazyLoaded match.glob
2019-03-29 21:08:17,736 [salt.utils.lazy :104 ][DEBUG ][820] LazyLoaded glob_match.match
2019-03-29 21:08:17,755 [salt.loader.10.0.2.15.int.module.x509:88 ][DEBUG ][820] 'sign_remote_certificate'Returned: {u'Issuer Public Key': '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxliiI1+gYXYiiJsvxbC\nuB4o/80EbAiXtJ/ONNgFJdV+xtVOZgT+8c5s0aECVhNzStDWAGvk7tMRJDgOdAAh\nCePV8YRwu5p+ptmTI7eTnFeMvt/tg3KWF8DHNTQENe46EeYq7WqkpPiDWR9SjXk6\nhgFjDeyH0gOJ820qkOFpc0gos4Yc/c7KRSx7u7l9yr/vc9HTgnUVjzZyVcDOJHa3\nIORpdp8AEksi5cbYvkBqLnic75NcWeGhIoNQWE7r1TpV0slh49dlIWRMt+mVNS6P\n04ykia60jyo21qbwZPezCrBb+m28ebwae6BCiBvxiixRzphRYOnJ7Ni7gMue+Ovc\nHwIDAQAB\n-----END PUBLIC KEY-----\n', u'MD5 Finger Print': u'D6:5D:39:66:BA:E3:8E:6C:FE:72:E6:9B:A7:5F:C9:54', u'Version': 3, u'Key Size': 2048, u'Not After': '2020-03-28 21:08:17', u'X509v3 Extensions': OrderedDict([('basicConstraints', u'critical CA:FALSE'), ('keyUsage', u'critical Key Encipherment'), ('subjectKeyIdentifier', '9F:91:51:55:F4:95:06:FE:95:54:A6:9A:BC:E0:6E:05:17:E0:24:24'), ('authorityKeyIdentifier', 'keyid:B0:AE:4B:77:70:98:F1:ED:CF:4A:25:74:70:03:3A:AD:C5:E0:8B:A5\nDirName:/C=US/ST=Utah/L=South Jordan/O=WTW/CN=master.localdomain\nserial:A9:65:7B:C1:FD:1F:46:CE\n'), ('subjectAltName', 'Registered ID:1.2.3.4')]), u'Subject Hash': u'B6:0B:1E:C4', u'SHA1 Finger Print': u'67:97:CE:75:77:2F:1B:CE:6E:51:12:85:6E:53:1B:55:9A:E9:EA:91', u'SHA-256 Finger Print': u'4F:87:DC:87:EB:B1:AC:C6:4B:27:37:45:57:FE:97:46:05:96:7B:E3:D0:4D:48:FD:2C:60:92:78:3E:13:A6:0B', u'Serial Number': u'AE:A0:7D:6A:3F:66:70:D1', u'Public Key': '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/ml\nxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQ\nOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpB\nml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVW\nVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmali\nv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W\n7QIDAQAB\n-----END PUBLIC KEY-----\n', u'Issuer Hash': u'AB:45:A5:7A', u'Subject': {'C': 'US', 'SP': 'Utah', 'CN': 'www.example.com', 'L': 'Salt Lake City'}, u'Not Before': '2019-03-29 21:08:17', u'Issuer': {'C': 'US', 'SP': 'Utah', 'organizationName': 'WTW', 'CN': 'master.localdomain', 'L': 'South Jordan'}}
It seems to cause the double quoting & double unicode tagging to go away on the passed in argdict.
i-m-wisch
on 29 Mar 2019
When this fix will be available on SaltStack Latest Release Channel for RHEL/Centos 7 repository?
eimantaszd
on 12 Apr 2019
I see the error message itself written to the requested cert file:
test_crt:
x509.certificate_managed:
- name: /etc/pki/test.crt
- ca_server: ca
- signing_policy: ca_policy
- public_key: /etc/pki/test.key
- CN: example.com
- days_remaining: 30
- backup: True
cat /etc/pki/test.crt then shows signing_policy must be specified in the cert file. Surely this isn't intended behaviour?
glynnforrest
on 30 Apr 2019
@Ch3LL PR is closed, is this fixed now ?
KChandrashekhar
on 3 May 2019
yep looks like its merged. It will be included in the upcoming 2019.2.1 release. Does anyone want to try the fix in https://github.com/saltstack/salt/pull/52381 before i close?
Ch3LL
on 3 May 2019
FWIW - I monkey patched the diff of x509.py in the PR and it resolved the issue.
campbellmc
on 3 May 2019
thanks @campbellmc i'll go ahead and close :)
Ch3LL
on 3 May 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
icycle77
路
3Comments
commutecat
路
3Comments
Inveracity
路
3Comments
Arguros
路
3Comments
sagetherage
路
3Comments
Most helpful comment
This is a pretty big issue for us as we manage our vpn servers with it. I had to revert to 2018.3.3 to make it work again.