Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x509.sign_remote_certificate not working after upgrade to 2019.2.0 #51869

Closed
eimantaszd opened this issue Feb 27, 2019 · 15 comments

Comments

@eimantaszd
Copy link

commented Feb 27, 2019

Description of Issue/Question

x509.sign_remote_certificate not working after upgrade to 2019.2.0

Setup

ca server minion config /etc/salt/minion.d/signing_policies.conf:

x509_signing_policies:
    ca_policy:
        - minions: '*'
        - signing_private_key: /path/to/key/file
        - signing_cert: /path/to/cert/file
        - O: Test Company
        - basicConstraints: "CA:false"
        - keyUsage: "critical digitalSignature, keyEncipherment"
        - extendedKeyUsage: "critical serverAuth, clientAuth"
        - subjectKeyIdentifier: hash
        - authorityKeyIdentifier: keyid
        - days_valid: 730
        - copypath: /path/to/certs/dir/

Managed certificate state:

{% from "test/map.jinja" import test with context %}
test_crt:
    x509.certificate_managed:
        - name: {{ test.crt }}
        - ca_server: {{ test.ca_server }}
        - signing_policy: ca_policy
        - public_key: {{ test.key }}
        - CN: {{ grains['id'] }}
        - days_remaining: 30
        - backup: True

test/map.jinja:

{% import_yaml "test/defaults.yaml" as default_settings %}
{% set test = salt['pillar.get'](
  'test',
  default=default_settings.test,
  merge=True)
%}

test/defaults.yaml:

test:
    key: /etc/pki/tls/private/test.key
    crt: /etc/pki/tls/certs/test.crt
    ca_server: 127.0.0.1

pillar of minion:

test:
    ca_server: ca.server.hostname

Steps to Reproduce Issue

Execute on master:

salt 'minion' state.apply

Getting errors:

          ID: test_crt
    Function: x509.certificate_managed
        Name: /etc/pki/tls/certs/test.crt
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
                  **cdata['kwargs'])
                File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
                  return f(*args, **kwargs)
                File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
                  'New': __salt__['x509.read_certificate'](certificate=certificate)}
                File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
                  cert = _get_certificate_obj(certificate)
                File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
                  text = get_pem_entry(text, pem_type='CERTIFICATE')
                File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
                  raise salt.exceptions.SaltInvocationError(errmsg)
              SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
              signing_policy must be specified
     Started: 15:45:45.250191
    Duration: 720.156 ms
     Changes:

Master log:

2019-02-27 15:45:45,267 [salt.transport.zeromq:132 ][DEBUG   ][27686] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'salt.host.local_master', u'tcp: //**.**.**.**:4506', u'clear')
2019-02-27 15:45:45,267 [salt.transport.zeromq:203 ][DEBUG   ][27686] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,267 [salt.transport.zeromq:1178][DEBUG   ][27686] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,271 [salt.utils.event :742 ][DEBUG   ][27687] Sending event: tag = 20190227154545270710; data = {u'_stamp': '2019-02-27T13:45:45.271095', u'minions': [u'ca.host.name']}
2019-02-27 15:45:45,271 [salt.utils.event :742 ][DEBUG   ][27687] Sending event: tag = salt/job/20190227154545270710/new; data = {u'tgt_type': 'glob', u'jid': u'20190227154545270710', u'user': 'root', u'tgt': 'ca.host.name', u'arg': [{"u'CN'": "u'minion.host.name'", "u'signing_policy'": "u'ca_policy'", "u'public_key'": "u'-----BEGIN PUBLIC KEY-----******************************-----END PUBLIC KEY-----'", 'testrun': True, "u'public_key_passphrase'": 'None'}], u'fun': 'x509.sign_remote_certificate', u'missing': [], u'_stamp': '2019-02-27T13:45:45.271621', u'minions': [u'ca.host.name']}
2019-02-27 15:45:45,272 [salt.loaded.int.returner.local_cache:249 ][DEBUG   ][27687] Adding minions for job 20190227154545270710: [u'ca.host.name']
2019-02-27 15:45:45,272 [salt.master      :2345][INFO    ][27687] User root Published command x509.sign_remote_certificate with jid 20190227154545270710
2019-02-27 15:45:45,272 [salt.master      :2353][DEBUG   ][27687] Published command details {u'tgt_type': 'glob', u'jid': u'20190227154545270710', u'tgt': 'ca.host.name', u'ret': '', u'user': 'root', u'arg': [{"u'CN'": "u'minion.host.name'", "u'signing_policy'": "u'ca_policy'", "u'public_key'": "u'-----BEGIN PUBLIC KEY-----*****************************-----END PUBLIC KEY-----'", 'testrun': True, "u'public_key_passphrase'": 'None'}], u'fun': 'x509.sign_remote_certificate', u'id': 'minion.host.name'}
2019-02-27 15:45:45,272 [salt.transport.zeromq:1012][DEBUG   ][27687] Signing data packet
2019-02-27 15:45:45,273 [salt.crypt       :199 ][DEBUG   ][27687] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,273 [salt.crypt       :224 ][DEBUG   ][27687] salt.crypt.sign_message: Signing message.
2019-02-27 15:45:45,274 [salt.transport.zeromq:1034][DEBUG   ][27687] Sending payload to publish daemon. jid=20190227154545270710 size=1092
2019-02-27 15:45:45,274 [salt.transport.zeromq:1039][DEBUG   ][27687] Sent payload to publish daemon.
2019-02-27 15:45:45,280 [salt.transport.zeromq:895 ][DEBUG   ][27667] Publish daemon received payload. size=1092
2019-02-27 15:45:45,281 [salt.transport.zeromq:893 ][DEBUG   ][27667] Publish daemon getting data from puller ipc:///var/run/salt/master/publish_pull.ipc
2019-02-27 15:45:45,281 [salt.transport.zeromq:227 ][DEBUG   ][27686] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,284 [salt.crypt       :207 ][DEBUG   ][27675] salt.crypt.get_rsa_pub_key: Loading public key
2019-02-27 15:45:45,319 [salt.utils.job   :68  ][INFO    ][27674] Got return from ca.host.name for job 20190227154545270710
2019-02-27 15:45:45,319 [salt.utils.event :742 ][DEBUG   ][27674] Sending event: tag = salt/job/20190227154545270710/ret/ca.host.name; data = {'fun_args': [{'testrun': True, "u'public_key'": "u'-----BEGIN PUBLIC KEY-----***********************************-----END PUBLIC KEY-----'", "u'signing_policy'": "u'ca_policy'", "u'public_key_passphrase'": 'None', "u'CN'": "u'minion.host.name'"}], 'jid': '20190227154545270710', 'return': 'signing_policy must be specified', 'retcode': 0, 'success': True, 'cmd': '_return', u'_stamp': '2019-02-27T13:45:45.319394', 'fun': 'x509.sign_remote_certificate', 'id': 'ca.host.name'}

CA log:

2019-02-27 15:45:45,282 [salt.minion      :1465][INFO    ][6880] User root Executing command x509.sign_remote_certificate with jid 20190227154545270710
2019-02-27 15:45:45,283 [salt.minion      :1472][DEBUG   ][6880] Command details {u'tgt_type': u'glob', u'jid': u'20190227154545270710', u'tgt': u'ca.host.name', u'ret': u'',
 u'user': u'root', u'arg': [{u"u'CN'": u"u'minion.host.name'", u"u'signing_policy'": u"u'ca_policy'", u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----**********************-----END PUBLIC KEY-----'", u'testrun': True, u"u'public_key_passphrase'": u'None'}], u'fun': u'x509.sign_remote_certificate', u'id': u'minion.host.name'}
2019-02-27 15:45:45,299 [salt.minion      :1605][INFO    ][25562] Starting a new job 20190227154545270710 with PID 25562
2019-02-27 15:45:45,303 [salt.utils.lazy  :107 ][DEBUG   ][25562] Could not LazyLoad {0}.allow_missing_func: '{0}.allow_missing_func' is not available.
2019-02-27 15:45:45,307 [salt.utils.lazy  :104 ][DEBUG   ][25562] LazyLoaded x509.sign_remote_certificate
2019-02-27 15:45:45,308 [salt.minion      :767 ][DEBUG   ][25562] Minion return retry timer set to 7 seconds (randomized)
2019-02-27 15:45:45,308 [salt.minion      :1941][INFO    ][25562] Returning information for job: 20190227154545270710
2019-02-27 15:45:45,308 [salt.transport.zeromq:132 ][DEBUG   ][25562] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'ca.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,310 [salt.crypt       :463 ][DEBUG   ][25562] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'ca.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,311 [salt.transport.zeromq:203 ][DEBUG   ][25562] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,311 [salt.transport.zeromq:1178][DEBUG   ][25562] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,321 [salt.transport.zeromq:227 ][DEBUG   ][25562] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,322 [salt.minion      :1783][DEBUG   ][25562] minion return: {u'fun_args': [{u"u'CN'": u"u'minion.host.name'", u"u'signing_policy'": u"u'ca_policy'", u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----**********************-----END PUBLIC KEY-----'", u'testrun': True, u"u'public_key_passphrase'": u'None'}], u'jid': u'20190227154545270710', u'return': u'signing_policy must be specified', u'retcode': 0, u'success': True, u'fun': u'x509.sign_remote_certificate'}

Minion log:

2019-02-27 15:45:45,250 [salt.state       :1819][INFO    ][7711] Running state [/etc/pki/tls/certs/test.crt] at time 15:45:45.250190
2019-02-27 15:45:45,250 [salt.state       :1852][INFO    ][7711] Executing state x509.certificate_managed for [/etc/pki/tls/certs/test.crt]
2019-02-27 15:45:45,255 [salt.loaded.int.module.publish:108 ][INFO    ][7711] Publishing 'x509.sign_remote_certificate' to tcp://**.**.**.**:4506
2019-02-27 15:45:45,255 [salt.crypt       :1157][DEBUG   ][7711] Re-using SAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,256 [salt.crypt       :199 ][DEBUG   ][7711] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,256 [salt.crypt       :797 ][DEBUG   ][7711] Loaded minion key: /etc/salt/pki/minion/minion.pem
2019-02-27 15:45:45,260 [salt.transport.zeromq:132 ][DEBUG   ][7711] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp:/
/**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,260 [salt.crypt       :463 ][DEBUG   ][7711] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506
')
2019-02-27 15:45:45,261 [salt.transport.zeromq:203 ][DEBUG   ][7711] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,261 [salt.transport.zeromq:1178][DEBUG   ][7711] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,554 [salt.utils.lazy  :104 ][DEBUG   ][7565] LazyLoaded list_match.match
2019-02-27 15:45:45,555 [salt.minion      :1465][INFO    ][7565] User sudo_testuser Executing command saltutil.find_job with jid 20190227154545546145
2019-02-27 15:45:45,555 [salt.minion      :1472][DEBUG   ][7565] Command details {u'tgt_type': u'list', u'jid': u'20190227154545546145', u'tgt': [u'minion.host.name']
, u'ret': u'', u'user': u'sudo_testuser', u'arg': [u'20190227154540489597'], u'fun': u'saltutil.find_job'}
2019-02-27 15:45:45,598 [salt.transport.zeromq:227 ][DEBUG   ][7711] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,600 [salt.loaded.int.module.publish:108 ][INFO    ][7711] Publishing 'x509.sign_remote_certificate' to tcp://**.**.**.**:4506
2019-02-27 15:45:45,600 [salt.crypt       :1157][DEBUG   ][7711] Re-using SAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,600 [salt.crypt       :199 ][DEBUG   ][7711] salt.crypt.get_rsa_key: Loading private key
2019-02-27 15:45:45,600 [salt.crypt       :797 ][DEBUG   ][7711] Loaded minion key: /etc/salt/pki/minion/minion.pem
2019-02-27 15:45:45,604 [salt.transport.zeromq:132 ][DEBUG   ][7711] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,604 [salt.crypt       :463 ][DEBUG   ][7711] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,605 [salt.transport.zeromq:203 ][DEBUG   ][7711] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,605 [salt.transport.zeromq:1178][DEBUG   ][7711] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,589 [salt.minion      :1605][INFO    ][7840] Starting a new job 20190227154545546145 with PID 7840
2019-02-27 15:45:45,647 [salt.utils.lazy  :107 ][DEBUG   ][7840] Could not LazyLoad {0}.allow_missing_func: '{0}.allow_missing_func' is not available.
2019-02-27 15:45:45,649 [salt.utils.lazy  :104 ][DEBUG   ][7840] LazyLoaded saltutil.find_job
2019-02-27 15:45:45,650 [salt.minion      :767 ][DEBUG   ][7840] Minion return retry timer set to 7 seconds (randomized)
2019-02-27 15:45:45,650 [salt.minion      :1941][INFO    ][7840] Returning information for job: 20190227154545546145
2019-02-27 15:45:45,651 [salt.transport.zeromq:132 ][DEBUG   ][7840] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506', u'aes')
2019-02-27 15:45:45,651 [salt.crypt       :463 ][DEBUG   ][7840] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'minion.host.name', u'tcp://**.**.**.**:4506')
2019-02-27 15:45:45,652 [salt.transport.zeromq:203 ][DEBUG   ][7840] Connecting the Minion to the Master URI (for the return server): tcp://**.**.**.**:4506
2019-02-27 15:45:45,652 [salt.transport.zeromq:1178][DEBUG   ][7840] Trying to connect to: tcp://**.**.**.**:4506
2019-02-27 15:45:45,662 [salt.transport.zeromq:227 ][DEBUG   ][7840] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,664 [salt.minion      :1783][DEBUG   ][7840] minion return: {u'fun_args': [u'20190227154540489597'], u'jid': u'20190227154545546145', u'return': {'tgt_type': 'glob', 'jid': '20190227154540489597', 'tgt': 'minion.host.name', 'pid': 7711, 'ret': '', 'user': 'sudo_testuser', 'arg': [], 'fun': 'state.apply'}, u'retcode': 0, u'success': True, u'fun': u'saltutil.find_job'}
2019-02-27 15:45:45,967 [salt.transport.zeromq:227 ][DEBUG   ][7711] Closing AsyncZeroMQReqChannel instance
2019-02-27 15:45:45,969 [salt.state       :1939][DEBUG   ][7711] An exception occurred in this state: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
    **cdata['kwargs'])
  File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
    'New': __salt__['x509.read_certificate'](certificate=certificate)}
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
    cert = _get_certificate_obj(certificate)
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
    text = get_pem_entry(text, pem_type='CERTIFICATE')
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
    raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified
2019-02-27 15:45:45,970 [salt.state       :322 ][ERROR   ][7711] An exception occurred in this state: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/state.py", line 1933, in call
    **cdata['kwargs'])
  File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1939, in wrapper
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 576, in certificate_managed
    'New': __salt__['x509.read_certificate'](certificate=certificate)}
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 557, in read_certificate
    cert = _get_certificate_obj(certificate)
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 371, in _get_certificate_obj
    text = get_pem_entry(text, pem_type='CERTIFICATE')
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 493, in get_pem_entry
    raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM does not contain a single entry of type CERTIFICATE:
signing_policy must be specified

2019-02-27 15:45:45,970 [salt.state       :1997][INFO    ][7711] Completed state [/etc/pki/tls/certs/test.crt] at time 15:45:45.970347 (duration_in_ms=720.156)

Versions Report

Master:

Salt Version:
           Salt: 2019.2.0

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.31.0
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.6.1810 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-957.5.1.el7.x86_64
         system: Linux
        version: CentOS Linux 7.6.1810 Core

CA:

    Salt Version:
               Salt: 2019.2.0

    Dependency Versions:
               cffi: Not Installed
           cherrypy: Not Installed
           dateutil: Not Installed
          docker-py: Not Installed
              gitdb: Not Installed
          gitpython: Not Installed
              ioflo: Not Installed
             Jinja2: 2.7.2
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: 0.31.0
               Mako: Not Installed
       msgpack-pure: Not Installed
     msgpack-python: 0.4.6
       mysql-python: Not Installed
          pycparser: Not Installed
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: Not Installed
             Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
       python-gnupg: Not Installed
             PyYAML: 3.11
              PyZMQ: 15.3.0
               RAET: Not Installed
              smmap: Not Installed
            timelib: Not Installed
            Tornado: 4.2.1
                ZMQ: 4.1.4

    System Versions:
               dist: centos 7.6.1810 Core
             locale: UTF-8
            machine: x86_64
            release: 3.10.0-957.5.1.el7.x86_64
             system: Linux
            version: CentOS Linux 7.6.1810 Core

Minion:

    Salt Version:
               Salt: 2019.2.0

    Dependency Versions:
               cffi: Not Installed
           cherrypy: Not Installed
           dateutil: Not Installed
          docker-py: Not Installed
              gitdb: Not Installed
          gitpython: Not Installed
              ioflo: Not Installed
             Jinja2: 2.7.2
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: 0.31.0
               Mako: Not Installed
       msgpack-pure: Not Installed
     msgpack-python: 0.4.6
       mysql-python: Not Installed
          pycparser: Not Installed
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: Not Installed
             Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
       python-gnupg: Not Installed
             PyYAML: 3.11
              PyZMQ: 15.3.0
               RAET: Not Installed
              smmap: Not Installed
            timelib: Not Installed
            Tornado: 4.2.1
                ZMQ: 4.1.4

    System Versions:
               dist: centos 7.6.1810 Core
             locale: UTF-8
            machine: x86_64
            release: 3.10.0-957.5.1.el7.x86_64
             system: Linux
            version: CentOS Linux 7.6.1810 Core
@robinsmidsrod

This comment has been minimized.

Copy link
Contributor

commented Feb 27, 2019

I'm seeing the same issue here:

Salt Version:
           Salt: 2019.2.0

Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.27.0
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.18
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.15rc1 (default, Nov 12 2018, 14:31:15)
   python-gnupg: 0.4.1
         PyYAML: 3.13
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist: Ubuntu 18.04 bionic
         locale: UTF-8
        machine: x86_64
        release: 4.15.0-45-generic
         system: Linux
        version: Ubuntu 18.04 bionic

@ndobbs

This comment has been minimized.

Copy link

commented Mar 1, 2019

I'm experiencing this too, I had to revert my minions to 2018.3.3.

@robinsmidsrod

This comment has been minimized.

Copy link
Contributor

commented Mar 11, 2019

Any update on this? It is still blocking our ability to upgrade to the 2019.2 branch.

@cheald

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

Same issue here. Oddly, specifying subjectAltName causes it to succeed for me.

Edit: You need to set the SAN to an RID value such as 'RID:1.2.3.4', see below.

@KChandrashekhar KChandrashekhar added this to In Progress in Salt Core Workspace Mar 18, 2019
@KChandrashekhar KChandrashekhar added this to In progress in Salt Open Workspace Mar 18, 2019
@anitakrueger

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

This is a pretty big issue for us as we manage our vpn servers with it. I had to revert to 2018.3.3 to make it work again.

@anitakrueger

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

Unfortunately this is becoming quite the issue for us, because now that the vpn server minion is running on 2018.3.3 and the master running on 2019.2.0 it randomly kills the salt-minion and I see this in the log:

2019-03-27 07:10:12,910 [salt.utils.parsers                                    ][WARNING ] Minion received a SIGTERM. Exiting.

I would rather not revert our 220 minions back to 2018.3.3.

@TOoSmOotH

This comment has been minimized.

Copy link

commented Mar 29, 2019

Any updates on this one?

@cheald

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

An elaboration on my workaround. It appears that setting just any subjectAltName doesn't work, a Registered ID is specifically needed.

/etc/pki/openvpn_clients/certs/{{cert_name}}.crt:
  x509.certificate_managed:
    - ca_server: {{ pki.ca_server }}
    - signing_policy: openvpn-client
    - public_key: /etc/pki/openvpn_clients/keys/{{ cert_name }}.key
    - CN: {{ cert_name }}
    - subjectAltName: 'RID:1.2.3.4'   # <-- this is the magic sauce
    - backup: True
    - managed_private_key:
        name: /etc/pki/openvpn_clients/keys/{{ cert_name }}.key
        bits: 4096
        backup: True

I don't know why it makes it work, but I noticed this after my SearchGuard certs worked (which use RID 1.2.3.4.5.5 to identify them as a special class of cert), while others didn't. Providing the bogus 1.2.3.4 RID SAN allows Salt to properly manage the certs.

@i-m-wisch

This comment has been minimized.

Copy link

commented Mar 29, 2019

The RID in the SAN does seem to fix it.

Here are the args going into the sign_remove_certificate function without the SAN:

2019-03-29 21:07:51,621 [salt.loader.10.0.2.15.int.module.x509:86  ][DEBUG   ][660] Calling: sign_remote_certificate {u"u'public_key_passphrase'": u'None', u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----'", u"u'signing_policy'": u"u'www'", u"u'CN'": u"u'www.example.com'"}, __pub_user=u'root', __pub_arg=[{u"u'public_key_passphrase'": u'None', u"u'public_key'": u"u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----'", u"u'signing_policy'": u"u'www'", u"u'CN'": u"u'www.example.com'"}], __pub_id=u'nginx', __pub_fun=u'x509.sign_remote_certificate', __pub_jid=u'20190329210751512546', __pub_tgt=u'master', __pub_tgt_type=u'glob', __pub_ret=u''
2019-03-29 21:07:51,622 [salt.loader.10.0.2.15.int.module.x509:88  ][DEBUG   ][660] 'sign_remote_certificate'Returned: u'signing_policy must be specified'

and with:

2019-03-29 21:08:17,720 [salt.loader.10.0.2.15.int.module.x509:86  ][DEBUG   ][820] Calling: sign_remote_certificate u"{u'signing_policy': u'www', u'public_key': u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----', u'CN': u'www.example.com', u'subjectAltName': u'RID:1.2.3.4', u'public_key_passphrase': None, 'testrun': True}", __pub_user=u'root', __pub_arg=[u"{u'signing_policy': u'www', u'public_key': u'-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/mlxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpBml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVWVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmaliv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W7QIDAQAB-----END PUBLIC KEY-----', u'CN': u'www.example.com', u'subjectAltName': u'RID:1.2.3.4', u'public_key_passphrase': None, 'testrun': True}"], __pub_id=u'nginx', __pub_fun=u'x509.sign_remote_certificate', __pub_jid=u'20190329210817425304', __pub_tgt=u'master', __pub_tgt_type=u'glob', __pub_ret=u''
2019-03-29 21:08:17,732 [salt.utils.lazy  :104 ][DEBUG   ][820] LazyLoaded pillar.get
2019-03-29 21:08:17,734 [salt.utils.lazy  :104 ][DEBUG   ][820] LazyLoaded match.glob
2019-03-29 21:08:17,736 [salt.utils.lazy  :104 ][DEBUG   ][820] LazyLoaded glob_match.match
2019-03-29 21:08:17,755 [salt.loader.10.0.2.15.int.module.x509:88  ][DEBUG   ][820] 'sign_remote_certificate'Returned: {u'Issuer Public Key': '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxliiI1+gYXYiiJsvxbC\nuB4o/80EbAiXtJ/ONNgFJdV+xtVOZgT+8c5s0aECVhNzStDWAGvk7tMRJDgOdAAh\nCePV8YRwu5p+ptmTI7eTnFeMvt/tg3KWF8DHNTQENe46EeYq7WqkpPiDWR9SjXk6\nhgFjDeyH0gOJ820qkOFpc0gos4Yc/c7KRSx7u7l9yr/vc9HTgnUVjzZyVcDOJHa3\nIORpdp8AEksi5cbYvkBqLnic75NcWeGhIoNQWE7r1TpV0slh49dlIWRMt+mVNS6P\n04ykia60jyo21qbwZPezCrBb+m28ebwae6BCiBvxiixRzphRYOnJ7Ni7gMue+Ovc\nHwIDAQAB\n-----END PUBLIC KEY-----\n', u'MD5 Finger Print': u'D6:5D:39:66:BA:E3:8E:6C:FE:72:E6:9B:A7:5F:C9:54', u'Version': 3, u'Key Size': 2048, u'Not After': '2020-03-28 21:08:17', u'X509v3 Extensions': OrderedDict([('basicConstraints', u'critical CA:FALSE'), ('keyUsage', u'critical Key Encipherment'), ('subjectKeyIdentifier', '9F:91:51:55:F4:95:06:FE:95:54:A6:9A:BC:E0:6E:05:17:E0:24:24'), ('authorityKeyIdentifier', 'keyid:B0:AE:4B:77:70:98:F1:ED:CF:4A:25:74:70:03:3A:AD:C5:E0:8B:A5\nDirName:/C=US/ST=Utah/L=South Jordan/O=WTW/CN=master.localdomain\nserial:A9:65:7B:C1:FD:1F:46:CE\n'), ('subjectAltName', 'Registered ID:1.2.3.4')]), u'Subject Hash': u'B6:0B:1E:C4', u'SHA1 Finger Print': u'67:97:CE:75:77:2F:1B:CE:6E:51:12:85:6E:53:1B:55:9A:E9:EA:91', u'SHA-256 Finger Print': u'4F:87:DC:87:EB:B1:AC:C6:4B:27:37:45:57:FE:97:46:05:96:7B:E3:D0:4D:48:FD:2C:60:92:78:3E:13:A6:0B', u'Serial Number': u'AE:A0:7D:6A:3F:66:70:D1', u'Public Key': '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxd8W3bEePakr5/3Ot/ml\nxtQUSk8hGShxJ3FGEDaCMoI3aVlnRJ3tN2myA6skrASgkERNT/eWZwIILvSRUsFQ\nOQhBUmYwH1Nsf7j6SR9OVxoh+/ORbj6lcyJkG7TF+GNXoZthjudYjj00CKX20KpB\nml3XdXBl+0MwuXTwQI+6rB97+QPYSFdkC7K6U5HX0GnuzIOwrfkhNSus2liMHdVW\nVgv0gkIu0ayZEQoZTw1Jl20LuGb3JOVfGKNjK6cQqtemI8r13FDGgQKAwkuKmali\nv3LSCyVLMe/oDETLxC6sHL0yMdParHwPiWDPkCnQrWaQ4sBxhbhZ71gE5zR+570W\n7QIDAQAB\n-----END PUBLIC KEY-----\n', u'Issuer Hash': u'AB:45:A5:7A', u'Subject': {'C': 'US', 'SP': 'Utah', 'CN': 'www.example.com', 'L': 'Salt Lake City'}, u'Not Before': '2019-03-29 21:08:17', u'Issuer': {'C': 'US', 'SP': 'Utah', 'organizationName': 'WTW', 'CN': 'master.localdomain', 'L': 'South Jordan'}}

It seems to cause the double quoting & double unicode tagging to go away on the passed in argdict.

dwoz added a commit to dwoz/salt that referenced this issue Apr 2, 2019
dwoz added a commit to dwoz/salt that referenced this issue Apr 2, 2019
@KChandrashekhar KChandrashekhar modified the milestones: March 29th, Priority Apr 5, 2019
garethgreenaway added a commit that referenced this issue Apr 5, 2019
Fix issue #51869 and add cert signing test
@eimantaszd

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

When this fix will be available on SaltStack Latest Release Channel for RHEL/Centos 7 repository?

@glynnforrest

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

I see the error message itself written to the requested cert file:

test_crt:
    x509.certificate_managed:
        - name: /etc/pki/test.crt
        - ca_server: ca
        - signing_policy: ca_policy
        - public_key: /etc/pki/test.key
        - CN: example.com
        - days_remaining: 30
        - backup: True

cat /etc/pki/test.crt then shows signing_policy must be specified in the cert file. Surely this isn't intended behaviour?

@KChandrashekhar

This comment has been minimized.

Copy link

commented May 3, 2019

@Ch3LL PR is closed, is this fixed now ?

@Ch3LL

This comment has been minimized.

Copy link
Contributor

commented May 3, 2019

yep looks like its merged. It will be included in the upcoming 2019.2.1 release. Does anyone want to try the fix in #52381 before i close?

@campbellmc

This comment has been minimized.

Copy link
Contributor

commented May 3, 2019

FWIW - I monkey patched the diff of x509.py in the PR and it resolved the issue.

@Ch3LL

This comment has been minimized.

Copy link
Contributor

commented May 3, 2019

thanks @campbellmc i'll go ahead and close :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.