Issue #3120 has been updated by Jeff McCune. Status changed from Needs Decision to Accepted Assignee deleted (Nick Fagerlund) Target version set to 3.x
# Not a documentation bug # This is not a documentation bug. This is definitely a bug in Puppet. Our entire SSL system is built upon the poor assumption that we're using a single, self-signed CA certificate. There are actually 3 different CA settings we need to configure in the OpenSSL context instance: * The server chain provided to the client [SSL_CTX_add_extra_chain_cert](http://www.openssl.org/docs/ssl/SSL_CTX_add_extra_chain_cert.html) * The CAs you announce to support to the client [SSL_CTX_set_client_CA_list](http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html) * The CAs you actually use to verify [SSL_CTX_load_verify_locations](http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) In order to properly fix this problem and fully support CA chaining, we need to add three distinct configuration settings for _both_ the clients and the servers. The three configuration settings need to be the CA certificate itself, the bundle of CA's composing the full chain from root to leaf, and the bundle of CA's that are valid for authenticating SSL peers. ---------------------------------------- Bug #3120: 'localcacert' doesn't behave as described https://projects.puppetlabs.com/issues/3120#change-66411 Author: eric sorenson Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 3.x Affected Puppet version: 0.25.1 Keywords: ssl certificate ca Branch: I've been grappling with the problem of getting multiple CA certificates set up, one per puppetmaster, as described in MultipleCertificateAuthorities on the wiki. The overall goal is to be able to have N puppetmasters who all issue certificates and trust each other's certs so no additional bootstrapping would be needed to get clients up and running. This is way tougher than I expected, and I think at least part of it is some confusing behaviour on puppet's part, to wit: The docs for the 'localcacert' variable say: {{{ # Where each client stores the CA certificate. # The default value is '$certdir/ca.pem'. localcacert = /etc/puppet/ssl/certs/ca.pem }}} The docs suggest this ought to be the ca's certificate or bundle. But what seems to be happening is that on the puppetmaster, this cert is used *as the CA Cert* for signing requests, overriding the value of 'cacert', and causing 'key and certificate don't match' errors thrown from Puppet::SSL::Host.certificate. I notice that Markus recently changed this part of the code for #2890 but at a glance it looks like this would continue. To reproduce: - specify different certificates for cacert and localcacert - request a certificate - be surprised at which one issues your client's cert More generally it would be great if somebody in the know took a look at the wiki docs for this and beat them into shape to make a better supported / less voodoo way to set up multiple masters. PuppetScalability and MultipleCertificateAuthorities have "hey it worked for me...sorta" type of docs. What I've done to get things working is followed Paul Lathrop's post: http://groups.google.com/group/puppet-users/msg/89b75ebe91c5985b which definitely simplifies things, but isn't written up anywhere. I'll be happy to do that if it turns out to be the best way but it'd be good to get a ruling on whether I'm doing something wrong with the chained CA setup first. Thanks -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
