Puppetserver CA API race-condition(?) about puppetserver HOT 3 CLOSED

Example when executed on the CA server itself:

curl --tlsv1 \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  --cert /etc/puppetlabs/puppet/ssl/certs/puppet.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/puppet.pem  \
  -k https://localhost:8140/puppet-ca/v1/certificate_status/client.domain.tld
Internal Server Error: java.io.FileNotFoundException: /etc/puppetlabs/puppetserver/ca/requests/client.domain.tld.pem (No such file or directory)

The system in question has had a certificate previously but no longer does. Neither a certificate or a certificate request file exists for the system on the CA. For other non-existing nodes it correctly returns Resource not found. if the resource does not exist.

One workaround seems to be having the node connect to the CA and hence generating a new CSR file. However, revoking PUT /puppet-ca/v1/certificate_status/client.domain.tld and cleaning it DELETE /puppet-ca/v1/certificate_status/client.domain.tld causes the problem to show itself again. Same thing happens regardless if a certificate or a CSR is going through this process.

As mentioned earlier this only happens sometimes and after it has started to happen it is persistent for that particular subject DN.

The CA is also much slower to process CSRs -> Cert (as also mentioned in linked issue).

from puppetserver.

Thanks for your report. The issue is a simple logic problem that I will resolve shortly.

from puppetserver.

@jonathannewman @justinstoller Hi, when will there be a release which includes this fix? Thanks.

from puppetserver.