Race condition with `ca clean`

[defnull]

Describe the Bug

We managed to accidentally delete an un-revoked certificate, because puppetserver ca clean is not atomic. As a result, we ended up with a valid certificate that can no longer be revoked and is not listed by puppetserver ca list.

How it probably happened (according to a user report and backed by logs):

• A call to puppetserver ca clean should revoke and delete a certificate. The revoke-call succeeded, but for some unknown reason the delete-call was delayed for a full 51 seconds. I have no idea why or how or where it got stuck, but it happened.
• While this delete-call was still pending, the user got impatient, called puppetserver ca clean again (successful this time), re-ran ssl-bootstrap on the host, called puppetserver ca sign and moved on.
• Now the delete-call from the first puppetserver ca clean invocation came through and deleted the newly signed certificate without revoking it first.

Expected Behavior

A puppetserver ca clean call should not delete certificates it did not revoke. It should probably use the /puppet-ca/v1/clean API instead of issuing separate revoke and delete calls, as suggested by the API docs.

[anders-larsson]

Hello. I've created puppetlabs/puppetserver#2851. It looks to the be the same bug. If it is, it is not limited to the Puppet CA CLI tools and happens when you use the HTTP API as well.