Skip to content

Conversation

@binford2k
Copy link
Contributor

When there are no clientcerts, Puppet will warn when it creates an
SSLContext for HTTPS operations. This situation occurs when you run
entirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.

This behaviour was added in 3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.

To prevent this being a failure when running puppet apply in
serverless mode, it explicitly marks the clientcerts as optional in
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98
and
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103

This goes one step further and sets the output to INFO rather than WARN
when running puppet apply.

This does have one small edge case. If,

  1. You intend to run a standard server/agent setup, and
  2. Before ever running puppet agent -t you run puppet apply for
    provisioning purposes, and
  3. Part of that Puppet run attempts to download a file from the
    puppetserver

Then you will get a certificate validation error and the HTTPS request
will fail silently with only an INFO message as a hint explaining why.

To fix it, you obviously just generate and sign the clientcerts.

I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.

Fixes #21

When there are no clientcerts, Puppet will warn when it creates an
`SSLContext` for HTTPS operations. This situation occurs when you run
entirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.

This behaviour was added in OpenVoxProject@3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.

To prevent this being a failure when running `puppet apply` in
serverless mode, it explicitly marks the clientcerts as optional in
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98
and
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103

This goes one step further and sets the output to `INFO` rather than `WARN`
when running `puppet apply`.

This does have one small edge case. If,

1. You intend to run a standard server/agent setup, and
2. Before ever running `puppet agent -t` you run `puppet apply` for
   provisioning purposes, and
3. Part of that Puppet run attempts to download a file from the
   puppetserver

Then you will get a certificate validation error and the HTTPS request
will fail silently with only an `INFO` message as a hint explaining why.

To fix it, you obviously just generate and sign the clientcerts.

I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.

Fixes OpenVoxProject#21
@binford2k binford2k marked this pull request as draft March 4, 2025 04:39
@ffrank
Copy link
Contributor

ffrank commented May 17, 2025

Seems fine, 3f7f830 even mentions that a missing client cert is supposed to be ignored.

How silently does a request fail in the described edge case? The resource should fail indicating a 4xx code from the server, no?

nmburgan added a commit that referenced this pull request Sep 5, 2025
@binford2k
Copy link
Contributor Author

@ffrank yes, the connection itself will fail and any code paths that depend on it will fail. Those are often swallowed up by some exception handling. What I meant was that the message describing what actually went wrong would only be logged as INFO instead of an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: puppet apply warns about missing client certificates

3 participants