mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-07-17 14:26:44 +02:00
The *.ssl x509.certificate_managed states hard-failed the state run when the CA/manager minion was unreachable (ca_server did not respond), and the paired private_key_managed states then failed on the prereq requisite. The - timeout: 30 on these states was a no-op (Salt has no per-state timeout requisite; only retry accepts until/attempts/interval/splay). Add an onlyif CA-reachability gate to every certificate_managed state so the state is skipped as a clean success when the CA does not answer a peer test.ping within 3s and the cert already exists. When the cert is missing (initial provisioning) the state still runs so the existing retry waits for the CA. The reachability command is centralized as CA.reachable_cmd in ca/map.jinja, and the master peer config now permits test.ping. The no-op - timeout: 30 is removed from all cert states.