validate_cmd failing when file resouce is absent

[ashleygould]

I get an execution error when running trusted_ca::java resource for the first time on a node. This resource attempts to create an intermediate file containing the contents of my source CA certificate. The file resource which manages the intermediate file uses the following validate_cmd:

'/usr/bin/openssl x509 -in %s -noout'

This errors if the file resource does not already exist, and the file does not get created at all.

Affected Puppet, Ruby, OS and module versions/distributions

We run a masterless puppet environment. I.e. nodes run puppet apply from crontab.

• Puppet:

~> puppet --version
7.19.0
~> rpm -q puppet-agent
puppet-agent-7.19.0-1.fc34.x86_64

• Ruby:

~> /opt/puppetlabs/puppet/bin/ruby --version
ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a) [x86_64-linux]

• Distribution:

~> cat /etc/system-release
Amazon Linux release 2023.6.20241212 (Amazon Linux)

• Module version: 5.1.0

How to reproduce (e.g Puppet code you use)

        # Install self-signed CA cert into default java trust store.
        trusted_ca::java { "UC3-Self-Signed-CA":
            source        => $ca_cert,
            java_keystore => $default_java_keystore,
        }

What are you seeing

execution error. openssl validate command errors because file resource does not yet exist.

What behaviour did you expect instead

the intermediate file /tmp/${name}-trustedca should be created.

Output log

Running puppet apply on host xxxxxxxx.  Wed Jan 15 12:22:06 PM PST 2025

Running all modules in manifest file /home/agould/my_puppet_workspace/environments/uc3-modules/manifests/test_all.pp
Info: Loading facts
Notice: Compiled catalog for uc3-mrtldap-stg01.cdlib.org in environment production in 2.06 seconds
Info: Using environment 'production'
Info: Applying configuration version '1736972532'
Error: Execution of '/usr/bin/openssl x509 -in /tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs -noout' returned 1: Could not open file or uri for loading certificate from /tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs
009EC8E9017F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
009EC8E9017F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs)
Unable to load certificate
Error: /Stage[main]/Uc3_ssl_selfsign/Uc3_ssl_selfsign::Config[default]/Trusted_ca::Java[UC3-Self-Signed-CA]/File[/tmp/UC3-Self-Signed-CA-trustedca]/ensure: change from 'absent' to 'file' failed: Execution of '/usr/bin/openssl x509 -in /tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs -noout' returned 1: Could not open file or uri for loading certificate from /tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs
009EC8E9017F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
009EC8E9017F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/tmp/UC3-Self-Signed-CA-trustedca20250115-877134-1ebxk3fs)
Unable to load certificate
Notice: /Stage[main]/Uc3_ssl_selfsign/Uc3_ssl_selfsign::Config[default]/Trusted_ca::Java[UC3-Self-Signed-CA]/Exec[import /tmp/UC3-Self-Signed-CA-trustedca to jks /etc/pki/ca-trust/extracted/java/cacerts]: Dependency File[/tmp/UC3-Self-Signed-CA-trustedca] has failures: true
Warning: /Stage[main]/Uc3_ssl_selfsign/Uc3_ssl_selfsign::Config[default]/Trusted_ca::Java[UC3-Self-Signed-CA]/Exec[import /tmp/UC3-Self-Signed-CA-trustedca to jks /etc/pki/ca-trust/extracted/java/cacerts]: Skipping because of failed dependencies
Notice: Applied catalog in 2.38 seconds

Any additional information you'd like to impart

I wonder if my error only happens when running puppet apply. I have no reasonable way to validate this.