Issue #3360 has been updated by Dominic Maraglia. Assignee set to Nick Lewis
Unable to verify this fix in Next: Running on Next https://github.com/puppetlabs/puppet/commit/02691637553d5637ee01a433a516b5d8cc9768a9 Start Master: <pre> [root@cent-55-64-1 ~]# /usr/bin/puppet master --certdnsnames=puppet:cent-55-64-1:cent-55-64-1.local --verbose --allow_duplicate_certs </pre> Generate cert on Agent: <pre> [root@cent-55-386-1 ~]# puppet certificate generate `hostname` --ca-location remote /usr/lib/ruby/1.8/net/http.rb:560:in `initialize': getaddrinfo: Name or service not known (SocketError) from /usr/lib/ruby/1.8/net/http.rb:560:in `open' from /usr/lib/ruby/1.8/net/http.rb:560:in `connect' from /usr/lib/ruby/1.8/timeout.rb:56:in `timeout' from /usr/lib/ruby/1.8/timeout.rb:76:in `timeout' from /usr/lib/ruby/1.8/net/http.rb:560:in `connect' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/lib/ruby/1.8/net/http.rb:542:in `start' from /usr/lib/ruby/1.8/net/http.rb:1035:in `request' ... 14 levels... from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:402:in `exit_on_fail' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:307:in `run' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:61:in `execute' from /usr/bin/puppet:4 [root@cent-55-386-1 ~]# puppet certificate generate `hostname` --ca-location remote /usr/lib/ruby/1.8/net/http.rb:560:in `initialize': Connection refused - connect(2) (Errno::ECONNREFUSED) from /usr/lib/ruby/1.8/net/http.rb:560:in `open' from /usr/lib/ruby/1.8/net/http.rb:560:in `connect' from /usr/lib/ruby/1.8/timeout.rb:56:in `timeout' from /usr/lib/ruby/1.8/timeout.rb:76:in `timeout' from /usr/lib/ruby/1.8/net/http.rb:560:in `connect' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/lib/ruby/1.8/net/http.rb:542:in `start' from /usr/lib/ruby/1.8/net/http.rb:1035:in `request' ... 14 levels... from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:402:in `exit_on_fail' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:307:in `run' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:61:in `execute' from /usr/bin/puppet:4 </pre> ---------------------------------------- Bug #3360: Add a flag to make puppet ca behavior on receipt of duplicate request configurable https://projects.puppetlabs.com/issues/3360 Author: Claus Divossen Status: Available In Testing Branch Priority: Normal Assignee: Nick Lewis Category: SSL Target version: Statler Affected Puppet version: 0.25.4 Keywords: puppetca autosigning signed certificate Branch: The puppetca accepts CSRs for CNs/nodenames that already have a signed certificate, and signing the new certificates will overwrite the old certs without warning or further validation. This seems to be introduced with the work on Bug #2890. The puppetca does not care about already exisiting signed certificates anymore. This is especially dangerous in combination with autosigning: When autosigning is active, any client can pretend to be another node as long as the desired node name matches the autosigning pattern(s). In consequence, autosigning completely disables the authorization process for matching node names. If there are node specific secrets distributed with puppet, an attacker can simply pretend to be another node with the "puppetd --fqdn" option and he will get the other node's secrets without any questions asked. The default behaviour should be to reject new CSRs for a node that already has a signed cert, especially with autosigning. When puppetca is run manually, a warning might be sufficient. **[Nigel]** See [Note 33](http://projects.puppetlabs.com/issues/3360#note-33) for the plan of action -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
