Puppet: System Administration Automated

Support

Ticket #1271 (closed defect: fixed)

Opened 6 months ago

Last modified 6 months ago

misleading error message if CA private key can not be decrypted

Reported by: unki Assigned to: community
Priority: normal Milestone:
Component: Debian Version:
Severity: normal Keywords:
Cc: Triage Stage: Ready for checkin
Attached Patches: Code Complexity: Unknown

Description

We are setting up puppet to use a subordinate CA within our PKI but spent hours to figure out, that ruby's OpenSSL is quiet dainty if the ca.pass file contains a line termination (usually added by many editors like vi, also if you remove a follow up empty line).

The error message is a bit missleading as we thought there is something wrong within the PKI hierarchy (nested...).

/usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb:382:in `initialize': Neither PUB key nor PRIV key:: nested asn1 error (OpenSSL::PKey::RSAError)

So it would be good, if any problem of OpenSSL::PKey::RSA.new() in sign_with_key() (ca.rb) gets catched and raise a meaningful error message.

Attachments

0001-catch-problems-of-OpenSSL-PKey-RSA.new.patch (1.3 kB) - added by unki on 05/30/08 06:33:14.

Change History

05/30/08 06:33:14 changed by unki

  • attachment 0001-catch-problems-of-OpenSSL-PKey-RSA.new.patch added.

05/30/08 06:39:37 changed by jamtur01

  • status changed from new to closed.
  • resolution set to fixed.
  • stage changed from Unreviewed to Ready for checkin.

Pushed to stable in commit [cf3b98e14ce015b60338d963ba62d28af4e4755e] in stable 0.24.x

05/31/08 03:38:34 changed by jamtur01

  • status changed from closed to reopened.
  • resolution deleted.

05/31/08 03:39:05 changed by jamtur01

Davids has pointed out that:

"Wouldn't that rescue also catch "file not found" exeptions? In that case the error message would be quite misleading."

Thoughts?

05/31/08 04:11:05 changed by luke

Yes, although for the record, the SSL errors on 'file not found' are usually equally useless.

I would change the message to say something like "Could not decrypt CA key with password: %s" % detail. This way you're at least providing a bit better info, but you're allowing the user to decipher if possible.

05/31/08 04:33:06 changed by jamtur01

  • status changed from reopened to closed.
  • resolution set to fixed.

Okay - updated the patch with this and pushed to 0.24.x stable in commit [dbd9b40c6537c261f01976238ef9ccfd6a6d6d08].