Issue #13406 has been updated by Chris Price. Status changed from Unreviewed to Needs Decision Assignee set to Daniel Pittman
Bouncing this to Daniel for decision / prioritization. ---------------------------------------- Feature #13406: Remote signing (puppet face) of certs with DNS alt names should be allowed https://projects.puppetlabs.com/issues/13406#change-58854 Author: Kristof Willaert Status: Needs Decision Priority: Normal Assignee: Daniel Pittman Category: Target version: Affected Puppet version: 2.7.12 Keywords: Branch: As requested by dpittman on irc, I am logging this to be considered for inclusion. As it stands now, the remote signing of certificates which have DNS alt names in the request is explicitly disallowed by the certificate face: In `lib/puppet/face/certificate.rb (line 106-109)`: <pre> if Puppet::SSL::Host.ca_location == :remote if options[:allow_dns_alt_names] raise ArgumentError, "--allow-dns-alt-names may not be specified with a remote CA" end </pre> According to dpittman, some of the restrictions that are now in place, are a consequence of the fixes for the recent security vulnerability involving [agent certs with DNS alt names](http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/), and in fixing probably not all possible use cases were considered. My use case for this: I have a setup very similar to the puppetlabs [cloud-provisioner](http://docs.puppetlabs.com/guides/cloud_pack_getting_started.html) to bootstrap nodes. This is used to bootstrap nodes and pre-sign certs through the use of the certificate face. This setup works well for nodes. I am now trying to add the possibility to bootstrap extra puppetmasters. For this to work, I would have to add DNS alt names to the cert request (DNS: puppet, ...), but then the cloud provisioner errors out: <pre> $ puppet certificate generate somenode.lan --ca-location remote --dns-alt-names "puppet, puppet.lan" true $ puppet certificate sign somenode.lan --ca-location remote --allow-dns-alt-names err: --allow-dns-alt-names may not be specified with a remote CA err: Try 'puppet help certificate sign' for usage </pre> Commenting the check referenced above in `lib/puppet/face/certificate.rb` fixes the local face, but the command still fails, as the code for signing on the CA still disallows the remote use of DNS alt names: <pre> $ puppet certificate sign somenode.lan --ca-location remote --allow-dns-alt-names err: Error 400 on SERVER: CSR 'somenode.lan' contains subject alternative names (DNS:puppet, DNS:puppet.lan, DNS:somenode.lan), which are disallowed. Use `puppet cert --allow-dns-alt-names sign somenode.lan` to sign this request. err: Try 'puppet help certificate sign' for usage </pre> Fixing the local face code is probably as trivial as removing the check for allow_dns_alt_names, fixing the code on the CA would probably involve some config item to be added to explicitly allow for this use. The code on the CA is in `lib/puppet/ssl/certificate_authority.rb (line 318-320)`: <pre> unless allow_dns_alt_names raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request. end </pre> Would this feature be useful, or is my use case just too exotic ? P.S. On a side note, the latest Puppet release (2.7.12) has a bug (issue #12191) that makes any remote cert signing impossible. It is fixed in master in this [commit](https://github.com/puppetlabs/puppet/commit/a09c3f05199ecbc05121e93b34e9f7174009de2b). I have been working with dpittman to get it backported to the 2.7.x branch. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
