Skip to content

Prevents spurious clientcert warnings in serverless mode #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Prevents spurious clientcert warnings in serverless mode #22

wants to merge 2 commits into from

Conversation

@binford2k
Copy link
Contributor

@binford2k binford2k commented Mar 4, 2025

When there are no clientcerts, Puppet will warn when it creates an
SSLContext for HTTPS operations. This situation occurs when you run
entirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.

This behaviour was added in 3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.

To prevent this being a failure when running puppet apply in
serverless mode, it explicitly marks the clientcerts as optional in
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98
and
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103

This goes one step further and sets the output to INFO rather than WARN
when running puppet apply.

This does have one small edge case. If,

  1. You intend to run a standard server/agent setup, and
  2. Before ever running puppet agent -t you run puppet apply for
    provisioning purposes, and
  3. Part of that Puppet run attempts to download a file from the
    puppetserver

Then you will get a certificate validation error and the HTTPS request
will fail silently with only an INFO message as a hint explaining why.

To fix it, you obviously just generate and sign the clientcerts.

I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.

Fixes #21

@binford2k binford2k marked this pull request as draft March 4, 2025 04:39
anthonyryan1
anthonyryan1 reviewed Mar 4, 2025
View reviewed changes
@ffrank
Copy link
Contributor

ffrank commented May 17, 2025

Seems fine, 3f7f830 even mentions that a missing client cert is supposed to be ignored.

How silently does a request fail in the described edge case? The resource should fail indicating a 4xx code from the server, no?

nmburgan added a commit that referenced this pull request Sep 5, 2025
@nmburgan
Merge pull request #22 from ekohl/provide-srpm
a5d0ab6 
Generate source artifacts
@binford2k
Copy link
Contributor Author

binford2k commented Oct 7, 2025

@ffrank yes, the connection itself will fail and any code paths that depend on it will fail. Those are often swallowed up by some exception handling. What I meant was that the message describing what actually went wrong would only be logged as INFO instead of an error.

@binford2k binford2k marked this pull request as ready for review November 12, 2025 23:15
@binford2k
Copy link
Contributor Author

binford2k commented Nov 12, 2025

I just realized that I left this as draft

@bastelfreak
Copy link
Contributor

bastelfreak commented Nov 13, 2025

@binford2k can you please give this a rebase?

@binford2k
Prevents spurious clientcert warnings in serverless mode
73ef8a0 
When there are no clientcerts, Puppet will warn when it creates an
`SSLContext` for HTTPS operations. This situation occurs when you run
entirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.

This behaviour was added in OpenVoxProject@3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.

To prevent this being a failure when running `puppet apply` in
serverless mode, it explicitly marks the clientcerts as optional in
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98
and
https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103

This goes one step further and sets the output to `INFO` rather than `WARN`
when running `puppet apply`.

This does have one small edge case. If,

1. You intend to run a standard server/agent setup, and
2. Before ever running `puppet agent -t` you run `puppet apply` for
   provisioning purposes, and
3. Part of that Puppet run attempts to download a file from the
   puppetserver

Then you will get a certificate validation error and the HTTPS request
will fail silently with only an `INFO` message as a hint explaining why.

To fix it, you obviously just generate and sign the clientcerts.

I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.

Fixes OpenVoxProject#21
@binford2k
fix typo
2e3f33c
@binford2k binford2k force-pushed the ticket/21/missing_client_certs branch from 05d4d34 to 2e3f33c Compare November 13, 2025 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@anthonyryan1 anthonyryan1 anthonyryan1 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: puppet apply warns about missing client certificates

4 participants

@binford2k @ffrank @bastelfreak @anthonyryan1