Issue #21257 has been reported by James Perry. ---------------------------------------- Bug #21257: Puppet 3.1.0 certificate_signer.rb not applying digest parameter correctly https://projects.puppetlabs.com/issues/21257
* Author: James Perry * Status: Unreviewed * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- When working on ancient HPUX boxes where we are trying to install puppet, I found the bug 17295 (http://projects.puppetlabs.com/issues/17295) where it described the exact problem. I have 3.1.0 running on a SUSE 11 SP2 box and so I tried to do the "puppet cert generate --digest SHA1 host.com" but it still generated a SHA256. Next I followed a suggestion in another thread that said to flip the SHA1 and SHA256 sections. I regenerated the certificate and it worked to give an SHA1, but when I ran with --digest SHA256, I still got SHA1 certificates. As another test, I ran it with --digest doggy and expected and error but still got an SHA1 certificate. I do not even consider myself a Ruby programmer yet, but it seems that no matter what is passed to the "OpenSSL::Digest.const_defined?('SHA256')" or "OpenSSL::Digest.const_defined?('SHA1') it always appears to assume true so it does not really seem to be checking the value provided. OS: SUSE 11 SP2 (Kernal 3.0.13-0.27-default) Ruby: ruby 1.8.7 (2011-12-28 patchlevel 357) [x86_64-linux] Puppet: 3.1.0 Facter: 1.6.17 Please let me know what additional troubleshooting I can provide or output to aid troubleshooting. My version of certificate_signer.rb (modified to make HPUX 11.11 client work on ssl 0.9.7) has SHA1 first in the if block. Here is the verbose output when generating a new key: puppet cert generate --digest SHA256 test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 69:C6:EE:E2:7F:99:A5:D5:91:F2:53:30:36:29:A2:31:39:C6:E6:DF Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' And another with --digest sha256 just in case it is a case issue. puppet cert generate --digest sha256 test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 54:97:6A:17:18:F2:6E:D7:53:FF:39:23:B9:91:37:89:F1:64:85:4E Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' And just to illustrate the behavior is not specific to method I used --digest doggy_barks_a_lot. This should invoke Puppet::Error --> "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest", but does not. puppet cert generate --digest doggy_barks_a_lot test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 7F:4F:9E:D8:82:86:92:6B:A0:78:EA:3C:7B:35:3F:79:19:34:8D:85 Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' ** Due to age of servers and inability to patch OpenSSL on these boxes, the SHA1 certificates are needed but everywhere else the SHA256 works fine. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
