new installs only : puppet error on trustedca fact

[fschaer]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5.12
• Ruby: shipped with puppet
• Distribution: CentOS7
• Module version: 3.0.0

How to reproduce (e.g Puppet code you use)

just run puppet or facter

What are you seeing

Puppet fact error :

`

Info: Retrieving locales
Info: Loading facts
Error: Facter: error while resolving custom fact "trustedca": nested asn1 error
Info: Caching catalog for (...)

facter -p trustedca
2019-03-29 14:54:14.323688 ERROR puppetlabs.facter - error while resolving custom fact "trustedca": nested asn1 error

`

What behaviour did you expect instead

No facter error. And in fact a way to drop this useless fact if possible.

Output log

Any additional information you'd like to impart

This is not hapenning on hosts with same OS, same puppet version, but not freshly installed. No idea why. But if hosts get reinstalled (or just CAs ?), error appears.

[b4ldr]

can you provide debug output?

[traylenator]

It's a good point that this fact probably is useless, we certainly do not use it.

[fschaer]

Mmmh... it actually helped to try to debug this manally - facter or puppet were not giving much details even in debug mode. :

irb(main):006:0> require 'openssl'
=> true
irb(main):027:0> Dir.glob('/etc/grid-security/certificates/*.pem') do |pem|
irb(main):028:1* begin
irb(main):029:2* cert = OpenSSL::X509::Certificate.new(File.read(pem))
irb(main):030:2> rescue
irb(main):031:2> puts "error while processing %s ..." % pem
irb(main):032:2> end
irb(main):033:1> subject = cert.subject.to_a
irb(main):034:1> rfc = subject.map { |x, y, _z| "#{x}=#{y}" }.reverse.join(',')
irb(main):035:1> end
error while processing /etc/grid-security/certificates/ARC-TestCA-6a8cca22-key.pem ...
NoMethodError: undefined method subject' for nil:NilClass from (irb):33:in block in irb_binding'
from (irb):27:in glob' from (irb):27 from /usr/bin/irb:12:in

'

(this is on ar ARC6 CE)
File contains what looks like a RSA private key... but at least, the begin/rescue block could handle the error I'm facing :]

[traylenator]

Hi @fschaer
Could you post me this file: /etc/grid-security/certificates/ARC-TestCA-6a8cca22-key.pem
I don't seem to have it.

[fschaer]

Hi,

Here it is. Found it on my ARC6 (dev) node, not on my ARC5 prod one (which should be migrated to ARC6...)

ARC-TestCA-6a8cca22-key.pem.gz

[traylenator]

Hi @fschaer

openssl rsa -in ARC-TestCA-6a8cca22-key.pem  --noout --modulus
Modulus=E40C5FFCA9DACFF98D7E8CBB1C086C60F595BB3620202CF971A510E3AE8FE6B7E4C7B745D8E3A77CA52112A25A044C467684B4384BB1451FECD9932257725F9548E60CEA78D4A33E0A198074977F09E367BC4075A0D9D7194816EABDB34B036C9BEA492921AEF3C118B9D88DE37C95CA68B561CDBD8B9C69500247CB3C665C69A559A536D5F2279E20BFC512059D3657A971688A1A4A8A34C20430F9A2D1D583E7FC8E2BD881AA287E44549FBDA1D0E9D7B748C6DDBD4096C2554328B199A39404CC0C8EE2384BEAAA4B2D7E175C8B1922665CA3D7FA640558E64F5A6C3574974EB7DB97EB7EBB36A2AE9B4EB77129C027AE57ABD1CB082F1B238BF639E3E7CB

The file is an RSA private key. I don't think such a .pem file should be in the
/etc/gid-security/certificates directory?

But indeed skipping over it is possible. This key should be revoked

[fschaer]

Hi Steve, Well, indeed, yes it’as a key – I don’t know how exactly it ends here, but that has something todo with ARC enabling a “test CA” that should never be used in production… Everyone has it apparently, or maybe it’s generated on the fly, at startup, whatever.... I agree that kind of file should not be placed here, but it is – I can and will make it disappear of course, but any garbage file there with the .pem extension will cause an error too I presume ?