Issue #10739 has been updated by Josh Cooper.
Status changed from Accepted to In Topic Branch Pending Review
Affected Puppet version changed from 2.7.6 to 2.6.12
Branch set to https://github.com/puppetlabs/puppet/pull/238
Note this issue needs to be merged into 2.6.x and then merged forward to 2.7.x.
Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:
DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>
The fix for #2848, prevented subjectAltNames from ever being
implicitly added at signing time. But during this change, the default
subjectAltNames behavior was accidentally removed.
This commit restores the 'defaulting' behavior that existed
previously, but only when bootstrapping the initial master.
Additionally, default subjectAltNames are only ever added when
generating the master's certificate signing request, not at signing
time. This is important, because it ensures all subjectAltNames
originate from the CSR and are subject to our internal signing policy.
The code now requires that all of the following be true in order to
add default subjectAltNames to the CSR:
1. We are a CA and master
2. We're signing the master's cert, not self-signing the CA
3. The CSR is for the current host
4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names]
5. The master can resolve its fqdn
These should only ever be true when bootstrapping the initial
master. In particular, it should never be true for the CA's
self-signed cert, for remote agents, or for servers that are either
masters or CAs, but not both.
The fqdn requirement existed previously, and so the same behavior has
been restored.
Note if Puppet[:dns_alt_names] are specified when bootstrapping the
master, then we do not merge the default options -- it's either one of
the other, but not both.
----------------------------------------
Bug #10739: An initial installation of 2.7.6 results in a default certificate
without alternate names
https://projects.puppetlabs.com/issues/10739
Author: Eli Klein
Status: In Topic Branch Pending Review
Priority: Normal
Assignee: Josh Cooper
Category: SSL
Target version: 2.6.x
Affected Puppet version: 2.6.12
Keywords:
Branch: https://github.com/puppetlabs/puppet/pull/238
Facts around the bug:
- Using puppet/puppet-server 2.7.6-2 RPM from the puppetlabs repo
- CentOS 5.6
- Stock puppet.conf
After starting the server for the first time, the certificate contains only the
local hostname of the system. Here's the openssl output from the created
certificate:
[root@bld-testpuppet-01 etc]# openssl x509 -in
/var/lib/puppet/ssl/certs/bld-testpuppet-01.f4tech.com.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: bld-testpuppet-01.f4tech.com
Validity
Not Before: Nov 10 15:35:35 2011 GMT
Not After : Nov 9 15:35:35 2016 GMT
Subject: CN=bld-testpuppet-01.f4tech.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:0c:aa:c3:73:ed:1a:30:65:83:f9:78:18:9e:
81:00:fa:32:b1:32:35:0d:c4:97:a2:93:18:8c:3f:
ee:4b:37:e1:e7:49:ec:bb:dc:0e:85:b2:3b:41:de:
58:aa:58:25:e0:a2:06:df:2e:7e:e1:2d:33:05:a2:
45:3c:17:3f:12:7a:70:58:7b:e7:ce:13:dc:c1:fa:
1e:8a:5f:d1:5c:6a:9b:9c:cb:cb:1a:35:09:07:d9:
25:31:b9:81:27:1b:44:55:7f:3f:2e:12:d5:da:29:
79:d1:15:09:22:b6:a0:04:62:12:73:80:88:81:b3:
fb:41:22:99:34:04:a5:5c:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
22:C8:D0:C9:4F:9D:BD:69:58:FB:9B:0F:91:AE:E4:65:6B:86:5A:DC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
04:ce:b2:07:2c:3f:d0:de:03:6f:0f:db:7d:06:b2:37:1a:1a:
8f:e4:b5:56:98:fa:1d:a1:81:56:d6:ad:7a:f8:3e:41:3e:0b:
56:32:4f:67:de:99:77:82:59:8b:a3:67:53:19:0f:b4:9e:24:
38:79:5b:0b:e3:87:9a:cb:e3:4e:61:db:a7:9a:f8:98:3c:24:
0e:37:3b:2d:02:9b:dd:6d:64:c2:09:7e:0e:7f:4c:43:38:58:
c6:e0:f3:dc:07:70:d2:49:31:c3:e6:f8:f4:f7:35:8a:f4:b8:
f4:7e:e7:37:fb:d0:c4:42:8b:be:3f:f3:8c:c4:42:1f:ab:e8:
19:14
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDDCdQdXBw
ZXQgQ0E6IGJsZC10ZXN0cHVwcGV0LTAxLmY0dGVjaC5jb20wHhcNMTExMTEwMTUz
NTM1WhcNMTYxMTA5MTUzNTM1WjAnMSUwIwYDVQQDDBxibGQtdGVzdHB1cHBldC0w
MS5mNHRlY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7DKrDc+0a
MGWD+XgYnoEA+jKxMjUNxJeikxiMP+5LN+HnSey73A6FsjtB3liqWCXgogbfLn7h
LTMFokU8Fz8SenBYe+fOE9zB+h6KX9Fcapucy8saNQkH2SUxuYEnG0RVfz8uEtXa
KXnRFQkitqAEYhJzgIiBs/tBIpk0BKVcoQIDAQABo4GbMIGYMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFCLI0MlPnb1pWPubD5Gu5GVrhlrcMA4GA1UdDwEB/wQEAwIF
oDA3BglghkgBhvhCAQ0EKhYoUHVwcGV0IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBD
ZXJ0aWZpY2F0ZTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ
KoZIhvcNAQEFBQADgYEABM6yByw/0N4Dbw/bfQayNxoaj+S1Vpj6HaGBVtatevg+
QT4LVjJPZ96Zd4JZi6NnUxkPtJ4kOHlbC+OHmsvjTmHbp5r4mDwkDjc7LQKb3W1k
wgl+Dn9MQzhYxuDz3Adw0kkxw+b49Pc1ivS49H7nN/vQxEKLvj/zjMRCH6voGRQ=
-----END CERTIFICATE-----
Note the missing entry similar to the following:
X509v3 Subject Alternative Name:
DNS:puppet, DNS:bld-testpuppet-01.f4tech.com,
DNS:puppet.f4tech.com
Adding in the dns_alt_names keyword to the config with the additional names
results in the correct certificate after it's regenerated.
Please let me know if you need further information. I've been able to
reproduce this 3 times on freshly installed systems.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
