Issue #2890 has been updated by Claus Divossen. Status changed from Closed to Re-opened Target version changed from 0.25.2 to 0.25.5 Affected version changed from 0.25.1 to 0.25.4
> > hmm yeah maybe it isn't worth to do it, as there isn't really any possible > > harm nor could any nasty things come up with the destructive way, couldn't > > it? > > Correct, no harm can come. Actually, there is harm done in connection with autosigning: When autosigning is active, any client can pretend to be another node as long as the desired node name matches the autosigning pattern(s), because the CA doesn't care about pre-existing certs anymore and just overwrites them. In consequence, autosigning can make your puppetmaster accept any client with any requested node name. If there are node specific secrets distributed with puppet, an attacker can simply pretend to be another node with the "puppetd --fqdn" option to get the other node's secrets. The default behaviour should be to reject new CSRs for a node that already has a signed cert. ---------------------------------------- Bug #2890: Puppetd: signed certificate retrieval "Retrieved certificate does not match private key" http://projects.reductivelabs.com/issues/2890 Author: Silviu Paragina Status: Re-opened Priority: Normal Assigned to: Dan Bode Category: SSL Target version: 0.25.5 Affected version: 0.25.4 Keywords: Branch: http://github.com/MarkusQ/puppet/tree/ticket/0.25.x/2890 Install a new client let's call it client1 Steps: 1. run puppetd --test on client 2. run puppetca --sign client1 on server 3. run rm -rf /var/lib/puppet/ssl on the client (equivalent with reinstalling the os on the client) 4. run puppetd --test on the client Now you will get as expected the "Retrieved certificate does not match private key" error. But the certificate the server gave is stored in /var/lib/puppet/ssl/certs and puppetd will try to use it on future runs To prove that do this 2 final steps 5. run puppetca --clean client1 6. puppetd --test if you analyze this run you will notice that the client does not even contact the server, it just loads the local certificates and bails out because the private/public key pair doesn't match. Workaround: delete /var/lib/puppet/ssl/cers/client1.pem from the client (or the equivalent file) I think the client shouldn't store the certificate received from the server unless it matches. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
