salt: x509 certificate_managed can't handle managed_private_key
Description of Issue/Question
The x509.certificate_managed state doesn’t work when it’s configured to handle it’s own private key as explained in the docs or shown in the example and it’s not existing yet
Setup
# self signed cert
/etc/nginx/certs/localhost.cert.pem:
x509.certificate_managed:
- signing_private_key: /etc/nginx/private/localhost.key.pem
- CN: localhost
- days_valid: 365
- days_remaining: 90
- managed_private_key:
name: /etc/nginx/private/localhost.key.pem
bits: 2048
- require:
- pkg: python-m2crypto
Steps to Reproduce Issue
- configure state as shown above
- make sure key file doesn’t exist, but path is writable
- and apply state.
ID: /etc/nginx/certs/localhost.cert.pem
Function: x509.certificate_managed
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/state.py", line 1745, in call
**cdata['kwargs'])
File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1702, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/states/x509.py", line 473, in certificate_managed
new = __salt__['x509.create_certificate'](testrun=True, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 1484, in create_certificate
passphrase=kwargs['signing_private_key_passphrase'])
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 679, in get_public_key
text = get_pem_entry(text)
File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 472, in get_pem_entry
raise salt.exceptions.SaltInvocationError(errmsg)
SaltInvocationError: PEM text not valid:
/etc/nginx/private/localhost.key.pem
Started: 16:29:53.585609
Duration: 99.44 ms
Changes:
Versions Report
Salt Version:
Salt: 2016.11.2
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.9.5
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.24.0
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.13 (default, Dec 21 2016, 07:16:46)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.4.2
ZMQ: 4.2.0
System Versions:
dist:
machine: x86_64
release: 4.7.4-1-ARCH
system: Linux
version: Not Installed
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 2
- Comments: 21 (9 by maintainers)
Commits related to this issue
- Rewrite x509.certificate_managed to be easier to use The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True... — committed to glynnforrest/salt by glynnforrest 5 years ago
- Rewrite x509.certificate_managed to be easier to use The function now displays clearer error messages when a problem occurs and informative messages when comparing an existing certificate. test=True... — committed to glynnforrest/salt by glynnforrest 5 years ago
- Explicitly remove support for managed_private_key It doesn't work and hasn't for a long time, see https://github.com/saltstack/salt/issues/39608#issuecomment-342346894. Throwing a SaltInvocationError... — committed to glynnforrest/salt by glynnforrest 4 years ago
I you want to bypass this error, make the key in another config and include it the in cert ca. So the example in the doc would become :
I can confirm that this is still a bug in v2017.7.2
The workaround works fine though. Maybe removing the
managed_private_keyoption might be the easiest path forward seeing as though it has be broken for so long (at least v2016.11.2).