Exception when attempting to revoke expired deleted certificate

[darkphoenix]

Describe the Bug

When attempting to revoke a certificate that has previously been deleted, but is still present in the inventory, but has also since expired, the Puppetserver CA throws a FileNotFoundException.

Expected Behavior

Like in other cases where revoke is called for an already revoked or nonexistent certificate, it fails cleanly and returns a 404 to the API.

Steps to Reproduce

Steps to reproduce the behavior:

1. Create and revoke a certificate with very short lifetime

puppetserver ca generate --certname manually-deleted.test.invalid --ttl 60s
puppetserver ca clean --certname=manually-deleted.test.invalid

2. wait for the 60s to run out if they haven't already
3. attempt to revoke the certificate again

$ puppetserver ca revoke --certname=manually-deleted.test.invalid
Error:
    When attempting to revoke certificate 'manually-deleted.test.invalid', received:
      code: 500
      body: Internal Server Error: java.io.FileNotFoundException: /etc/puppetlabs/puppetserver/ca/signed/manually-deleted.test.invalid.pem (No such file or directory)

Environment

• Version: 8.7.0
• Platform: Debian 11

Additional Context

This appears to be because the Puppetserver CA code first attempts to find the certificate serial number in the inventory, but skips expired entries in that case, and then if it finds nothing falls through to searching the filesystem. For some reason, this error is caught cleanly when the certificate has never existed, and obviously the certificate is just revoked again if it is correctly found in the inventory. The issue only occurs when an expired entry exists in the inventory, but the file has been removed.

The Foreman plugin for Puppet always attempts to revoke and delete any previous certificates with the same hostname, which is usually a safe operation to perform on a nonexistent certificate. In this case, the exception causes the VM creation to fail.