x509 certificate_managed can't handle managed_private_key #39608
Comments
gtmanfred
added
Bug
|
Thanks for reporting this, I have replicated this issue. Thanks, |
|
Confirming on 2016.11.3 |
|
Also have this issue on salt 2016.11.3 (Carbon) |
|
We also have this issue :( |
|
I you want to bypass this error, make the key in another config and include it the in cert ca. So the example in the doc would become : /etc/pki/ca.key:
x509.private_key_managed:
- bits: 4096
- backup: True
- require:
- file: /etc/pki
/etc/pki/ca.crt:
x509.certificate_managed:
- signing_private_key: /etc/pki/ca.key
- CN: ca.example.com
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3650
- days_remaining: 0
- backup: True
- require:
- file: /etc/pki
- x509: /etc/pki/ca.key
` |
|
This workaround worked for me. Thanks @etiennepouliot ! |
|
I can confirm that this is still a bug in v2017.7.2 The workaround works fine though. Maybe removing the |
|
Still seeing the bug, and the workaround works. Thanks for pointing out how to do the require with x509: Etienne, I was trying to work that out when I found your report. Salt Version: Dependency Versions: System Versions: |
|
Hi Still present in 2018.3.2 |
|
Hi Still present in 2018.3.3, and with the fix I have another error, due to Python 3 |
|
@saltstack/team-triage ping |
|
Yep they fixed it; I forgot to reply here, but that's why I close #50676 |
|
Will that be released before the end of the year, or should I work around
it?
Thanks,
Rick
…On Wed, Dec 5, 2018 at 11:41 AM Poil ***@***.***> wrote:
Yep they fixed it; I forgot to reply here, but that's why I close #50676
<#50676>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#39608 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AfO5AmYhg90fCeehZTF6f_uydI3EB95Iks5u1_csgaJpZM4MKNwn>
.
|
|
I've also push another fix because today the certs are renewed at each run #50734 |
|
Seems to still be broken in 2018.3.4. |
|
Thanks for the update, I picked up 2019.2.0 a few days ago, was meaning to
test to see if it is fixed in that release.
Rick
…On Wed, Mar 13, 2019 at 10:02 AM James Howe ***@***.***> wrote:
Seems to still be broken in 2018.3.4.
Salt Version:
Salt: 2018.3.4
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.6.1
docker-py: Not Installed
gitdb: 2.0.3
gitpython: 2.1.8
ioflo: Not Installed
Jinja2: 2.10
libgit2: 0.26.0
libnacl: Not Installed
M2Crypto: 0.32.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.26.2
Python: 3.6.7 (default, Oct 22 2018, 11:32:17)
python-gnupg: 0.4.1
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 2.0.3
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.5
System Versions:
dist: Ubuntu 18.04 bionic
locale: ISO-8859-1
machine: x86_64
release: 4.15.0-46-generic
system: Linux
version: Ubuntu 18.04 bionic
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#39608 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AfO5AtLb8SGTYt0qNEbRL_te0LxByx4bks5vWQTogaJpZM4MKNwn>
.
|
The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True is now supported. It fixes the following errors: * Certificate errors are written to the target file (saltstack#41858) * New certificates are created every run (saltstack#52167) The `managed_private_key` option has been removed due to the added complexity. The functionality can easily be replicated with an additional call to `x509.private_key_managed`. According to the comment at saltstack#39608 (comment) `managed_private_key` has not worked since at least v2016.11.2.
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
|
unstale |
|
Thank you for updating this issue. It is no longer marked as stale. |
The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True is now supported. It fixes saltstack#52180, saltstack#39608, saltstack#41858 and others: * Error messages from the x509 module calls are written directly to the certificate file - fixed, the certificate file is only created when the x509 module calls succeed. * Certificates are created when no changes are required - fixed, the comparison logic has been updated. The `managed_private_key` option has been removed due to the added complexity. The functionality can easily be replicated with an additional call to `x509.private_key_managed`. According to the comment at saltstack#39608 (comment) `managed_private_key` has not worked since at least v2016.11.2.
It doesn't work and hasn't for a long time, see saltstack#39608 (comment). Throwing a SaltInvocationError with a clear path to resolve the issue is more useful.
|
@sagetherage this can be closed now: As Designed |
Description of Issue/Question
The x509.certificate_managed state doesn't work when it's configured to handle it's own private key as explained in the docs or shown in the example and it's not existing yet
Setup
Steps to Reproduce Issue
Versions Report
The text was updated successfully, but these errors were encountered: