Issue #13406 has been updated by Nigel Kersten.
You could also take the approach I mentioned earlier, where you bootstrap masters with an agent cert, and in your puppet manifests for those hosts, you generate a new, with-alt-names cert and transfer it to the agents-who-will-become-masters, all inside the Puppet run. That wouldn't require opening another port, but may break your security partitioning and trust domains. ---------------------------------------- Feature #13406: Remote signing (puppet face) of certs with DNS alt names should be allowed https://projects.puppetlabs.com/issues/13406#change-66470 Author: Kristof Willaert Status: Rejected Priority: Normal Assignee: eric sorenson Category: Target version: Affected Puppet version: 2.7.12 Keywords: Branch: As requested by dpittman on irc, I am logging this to be considered for inclusion. As it stands now, the remote signing of certificates which have DNS alt names in the request is explicitly disallowed by the certificate face: In `lib/puppet/face/certificate.rb (line 106-109)`: <pre> if Puppet::SSL::Host.ca_location == :remote if options[:allow_dns_alt_names] raise ArgumentError, "--allow-dns-alt-names may not be specified with a remote CA" end </pre> According to dpittman, some of the restrictions that are now in place, are a consequence of the fixes for the recent security vulnerability involving [agent certs with DNS alt names](http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/), and in fixing probably not all possible use cases were considered. My use case for this: I have a setup very similar to the puppetlabs [cloud-provisioner](http://docs.puppetlabs.com/guides/cloud_pack_getting_started.html) to bootstrap nodes. This is used to bootstrap nodes and pre-sign certs through the use of the certificate face. This setup works well for nodes. I am now trying to add the possibility to bootstrap extra puppetmasters. For this to work, I would have to add DNS alt names to the cert request (DNS: puppet, ...), but then the cloud provisioner errors out: <pre> $ puppet certificate generate somenode.lan --ca-location remote --dns-alt-names "puppet, puppet.lan" true $ puppet certificate sign somenode.lan --ca-location remote --allow-dns-alt-names err: --allow-dns-alt-names may not be specified with a remote CA err: Try 'puppet help certificate sign' for usage </pre> Commenting the check referenced above in `lib/puppet/face/certificate.rb` fixes the local face, but the command still fails, as the code for signing on the CA still disallows the remote use of DNS alt names: <pre> $ puppet certificate sign somenode.lan --ca-location remote --allow-dns-alt-names err: Error 400 on SERVER: CSR 'somenode.lan' contains subject alternative names (DNS:puppet, DNS:puppet.lan, DNS:somenode.lan), which are disallowed. Use `puppet cert --allow-dns-alt-names sign somenode.lan` to sign this request. err: Try 'puppet help certificate sign' for usage </pre> Fixing the local face code is probably as trivial as removing the check for allow_dns_alt_names, fixing the code on the CA would probably involve some config item to be added to explicitly allow for this use. The code on the CA is in `lib/puppet/ssl/certificate_authority.rb (line 318-320)`: <pre> unless allow_dns_alt_names raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request. end </pre> Would this feature be useful, or is my use case just too exotic ? P.S. On a side note, the latest Puppet release (2.7.12) has a bug (issue #12191) that makes any remote cert signing impossible. It is fixed in master in this [commit](https://github.com/puppetlabs/puppet/commit/a09c3f05199ecbc05121e93b34e9f7174009de2b). I have been working with dpittman to get it backported to the 2.7.x branch. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
