Issue #13406 has been updated by eric sorenson.
Status changed from Needs Decision to Accepted
Assignee changed from eric sorenson to Kristof Willaert
It does look like the allow_dns_alt_names could be put into config; right now
it's only enabled if we're issuing a certificate for the same host we're
running the signing code on:
(from certificate_authority.rb:260)
allow_dns_alt_names = true if hostname == Puppet[:certname].downcase
... which seems kind of limited and arbitrary.
Kristof since you have code around this already could you work on a config
setting that would enable this?
----------------------------------------
Feature #13406: Remote signing (puppet face) of certs with DNS alt names should
be allowed
https://projects.puppetlabs.com/issues/13406#change-66392
Author: Kristof Willaert
Status: Accepted
Priority: Normal
Assignee: Kristof Willaert
Category:
Target version:
Affected Puppet version: 2.7.12
Keywords:
Branch:
As requested by dpittman on irc, I am logging this to be considered for
inclusion.
As it stands now, the remote signing of certificates which have DNS alt names in
the request is explicitly disallowed by the certificate face:
In `lib/puppet/face/certificate.rb (line 106-109)`:
<pre>
if Puppet::SSL::Host.ca_location == :remote
if options[:allow_dns_alt_names]
raise ArgumentError, "--allow-dns-alt-names may not be specified with a
remote CA"
end
</pre>
According to dpittman, some of the restrictions that are now in place, are a
consequence
of the fixes for the recent security vulnerability involving [agent certs with
DNS alt
names](http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/),
and in fixing probably not all possible use cases were considered.
My use case for this:
I have a setup very similar to the puppetlabs
[cloud-provisioner](http://docs.puppetlabs.com/guides/cloud_pack_getting_started.html)
to bootstrap nodes. This is used to bootstrap nodes and pre-sign certs through
the use
of the certificate face. This setup works well for nodes.
I am now trying to add the possibility to bootstrap extra puppetmasters. For
this to
work, I would have to add DNS alt names to the cert request (DNS: puppet, ...),
but then
the cloud provisioner errors out:
<pre>
$ puppet certificate generate somenode.lan --ca-location remote --dns-alt-names
"puppet, puppet.lan"
true
$ puppet certificate sign somenode.lan --ca-location remote
--allow-dns-alt-names
err: --allow-dns-alt-names may not be specified with a remote CA
err: Try 'puppet help certificate sign' for usage
</pre>
Commenting the check referenced above in `lib/puppet/face/certificate.rb` fixes
the local face, but
the command still fails, as the code for signing on the CA still disallows the
remote use of DNS alt names:
<pre>
$ puppet certificate sign somenode.lan --ca-location remote
--allow-dns-alt-names
err: Error 400 on SERVER: CSR 'somenode.lan' contains subject alternative names
(DNS:puppet, DNS:puppet.lan, DNS:somenode.lan), which are disallowed. Use
`puppet cert --allow-dns-alt-names sign somenode.lan` to sign this request.
err: Try 'puppet help certificate sign' for usage
</pre>
Fixing the local face code is probably as trivial as removing the check for
allow_dns_alt_names,
fixing the code on the CA would probably involve some config item to be added
to explicitly allow for
this use.
The code on the CA is in `lib/puppet/ssl/certificate_authority.rb (line
318-320)`:
<pre>
unless allow_dns_alt_names
raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains
subject alternative names (#{csr.subject_alt_names.join(', ')}), which are
disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign
this request.
end
</pre>
Would this feature be useful, or is my use case just too exotic ?
P.S. On a side note, the latest Puppet release (2.7.12) has a bug (issue
#12191) that makes any remote cert signing
impossible. It is fixed in master in this
[commit](https://github.com/puppetlabs/puppet/commit/a09c3f05199ecbc05121e93b34e9f7174009de2b).
I have been working with dpittman to get it backported to the 2.7.x branch.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
