Issue #3143 has been updated by Nigel Kersten. Target version changed from Statler to Telly
---------------------------------------- Bug #3143: Puppet should correctly support CA trust chains https://projects.puppetlabs.com/issues/3143 Author: Justin Baugh Status: Accepted Priority: High Assignee: Category: SSL Target version: Telly Affected Puppet version: 0.25.3 Keywords: Branch: It would be very, very useful for Puppet to use existing enterprise-deployed PKI systems, rather than relying somewhat on the creation of its own self-signed CA. Here is some background: For a few months, I have been using 0.24.8 in production. I used the techniques described in the wiki (multiple CA certificates) to override the local CA certificate, setting localcacert in puppet.conf to the PEM bundle. This required a slight hack to prevent Puppet from overwriting the file, but it worked and verified correctly. My PKI setup is fairly simple: I have a global root, which has a subordinate network CA, which has signed the Puppet CA (A->B->C). I have recently upgraded to 0.25.4 and this has broken entirely (see http://pastebin.ca/1776458 for a client debug; the server side never sees the request because it doesn't even get that far). I have tried both with a brand new client and an upgrade of an existing one - the errors are the same, failure to validate certificates. >From looking at cert_setup in network/http_pool.rb, Puppet will set the >ca_file and SSL store as appropriate, but neither of these are seemingly >sufficient to verify a trust chain. However, when I commented out usage of the >certificate store and CA file (http://pastebin.ca/1776467) and used ca_path >instead (set to an OpenSSL-hashed cert dir) containing A,B, and C's PEM files, >the verification succeeds, which confuses me greatly. I also tried directly modifying the certificate store passed to the http object to load my certificates directly into the store (via add_file) and this also does not verify. I notice that WEBrick deals with this issue by modifying the SSL context directly (extra_chain_cert). Is it possible for Puppet to do something similar? The property is not directly exposed from http.rb. When I have done testing with Puppet using WEBrick, modifying the appropriate WEBrick code to set the property to the appropriate trust chain (A and B) also works correctly, allowing the verification to succeed. I apologize in advance if if I am overlooking something or doing it wrong. In addition, I am happy to diagnose/debug/investigate this issue, if it is helpful, and write a patch for it if necessary, but my ruby/ruby openssl familiarity is minimal. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
