[BUG] acme.cert fails with OpenSSL error only when using salt tls module #59179
Labels
Bug
broken, incorrect, or confusing behavior
severity-medium
3rd level, incorrect or bad functionality, confusing and lacks a work around
Milestone
Comments
frogunder
added
severity-medium
|
In OpenBSD 6.8 I have the same problem but with the default endpoint When I implement the "Fix" (setting to "if False") then a new error pops up: It worked in 6.6, then I updated to 6.8 and it broke |
|
I have to apply that "if False"-fix. The date-issue is something else. To get it working on OpenBSD 6.8 I have to change it to this: #if "tls.cert_info" in __salt__:
if False:
expiry = __salt__["tls.cert_info"](cert_file).get("not_after", 0)
## Cobble it together using the openssl binary
else:
openssl_cmd = "openssl x509 -in {0} -noout -enddate".format(cert_file)
# No %e format on my Linux'es here
#strptime_sux_cmd = 'date --date="$({0} | cut -d= -f2)" +%s'.format(openssl_cmd)
strptime_sux_cmd = '{0} | cut -d= -f2'.format(openssl_cmd)
expiry = __salt__['cmd.shell'](strptime_sux_cmd, output_loglevel='quiet')
#expiry = float(__salt__["cmd.shell"](strptime_sux_cmd, output_loglevel="quiet"))
# expiry = datetime.datetime.strptime(expiry.split('=', 1)[-1], '%b %e %H:%M:%S %Y %Z')
return datetime.datetime.strptime(expiry, '%b %d %H:%M:%S %Y %Z')
#return datetime.datetime.fromtimestamp(expiry) |
|
@nielsek just FYI, a cleaner workaround that I'm using is to set disable_modules:
- tlsin minion config via salt-formula. Although it seems that you are having issues with more than just the tls module. |
|
@nielsk -^ |
|
Thanks. I will do a pull request for the date problem. |
|
Any fixes for this Problem? I am running into the same issue... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
When obtaining certificates using
acme.certwith my internal acme server, I receive a traceback. I am using https://github.com/smallstep/certificates to run this acme server. Certificates obtained for the normal letsencrypt servers work just fine.Setup
{{ pillar['letsencrypt']['domain'] }}: acme.cert: - email: {{ pillar['letsencrypt']['email'] }} preferred_challenges: {{ pillar['letsencrypt']['authenticator'] }} {% if pillar['letsencrypt']['domain'].endswith('<internal dns name>') %} server: https://<internal ca url> {% endif %} - require: - pkg: certbot - file: /etc/letsencrypt/cli.iniSteps to Reproduce the behavior
acme.certacme.certworks perfectly when I force the acme module to use openssl by settingsalt/salt/modules/acme.py
Line 87 in 214ae8a
to
if False:Expected behavior
acme.cert should obtain a certificate successfully as using the cli works fine.
Versions Report
salt --versions-report
``` Salt Version: Salt: 3002.2Dependency Versions:
cffi: 1.11.5
cherrypy: Not Installed
dateutil: 2.6.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.10.1
libgit2: 0.26.8
M2Crypto: 0.35.2
Mako: Not Installed
msgpack: 0.6.2
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: 2.14
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: 0.26.4
Python: 3.6.8 (default, Aug 24 2020, 17:57:11)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 19.0.0
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.3
System Versions:
dist: centos 8
locale: UTF-8
machine: x86_64
release: 5.4.78-2-pve
system: Linux
version: CentOS Linux 8
The text was updated successfully, but these errors were encountered: