Issue #3770 has been updated by Jeff McCune. Status changed from Accepted to Duplicate
# Closing # I'm closing this particular ticket because I've been reviewing all of the tickets related to the [Multiple Certificate Authorities](http://projects.puppetlabs.com/projects/puppet/wiki/Multiple_Certificate_Authorities) wiki document I originally wrote and I've come to the conclusion these aren't really bugs because Puppet has never supported CA chaining and multiple authorities. In the situations where it has worked, it's always been by working around the overloaded nature of the `localcacert` option and working around the behavior of certificate revocation checking. Closing this ticket does not imply we don't consider this a serious issue or we won't fix this problem. On the contrary, please take it to mean we consider it important enough to fix properly by adding official support for CA chaining and multiple CA's. In order to do this right we're going to need to introduce new settings into Puppet. My hope is that these new settings can all default to the existing localcacert setting for the simple case of a single self signed CA. If you have new information or would like to help us prioritize the feature, please update ticket #15404 with your impact data and use cases for multiple CA's and certificate chaining. Thanks, -Jeff McCune ---------------------------------------- Bug #3770: Puppet SSL verfication is broken with multiple chained certificates https://projects.puppetlabs.com/issues/3770#change-66510 Author: Ohad Levy Status: Duplicate Priority: Normal Assignee: Category: SSL Target version: 3.x Affected Puppet version: Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
