Issue #21257 has been updated by Charlie Sharpsteen. Tracker changed from Bug to Feature Subject changed from Puppet 3.1.0 certificate_signer.rb not applying digest parameter correctly to Add a configuration option for the digest algorithm used by the CA to sign certificates Description updated Category set to SSL Status changed from Unreviewed to Needs Decision Assignee set to eric sorenson Keywords set to certificate_authority digest
SHA256 is used by the Puppet 3.x certificate authority to sign generated certificates. This means that in order to communicate with a Puppet master running 3.x, you will need to be using OpenSSL 0.9.8o or newer. A possible workaround introduced in 3.2.1 is the ability to [run an external certificate authority](http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html). The documentation concerning the `--digest` option needs to be clarified. The issue is that there are at least two places where digest algorithm choice comes into play: fingerprinting existing certificates and signing generated certificates. The `--digest` option to `puppet agent` and `puppet cert` _only affects fingerprinting existing certs_. Given that there is no user-facing method to control the digest algorithm used to sign generated certificates, I'm re-classifying this as a feature request. ---------------------------------------- Feature #21257: Add a configuration option for the digest algorithm used by the CA to sign certificates https://projects.puppetlabs.com/issues/21257#change-93118 * Author: James Perry * Status: Needs Decision * Priority: Normal * Assignee: eric sorenson * Category: SSL * Target version: * Affected Puppet version: * Keywords: certificate_authority digest * Branch: ---------------------------------------- When working on ancient HPUX boxes where we are trying to install puppet, I found the bug 17295 (http://projects.puppetlabs.com/issues/17295) where it described the exact problem. I have 3.1.0 running on a SUSE 11 SP2 box and so I tried to do the "puppet cert generate --digest SHA1 host.com" but it still generated a SHA256. Next I followed a suggestion in another thread that said to flip the SHA1 and SHA256 sections. I regenerated the certificate and it worked to give an SHA1, but when I ran with --digest SHA256, I still got SHA1 certificates. As another test, I ran it with --digest doggy and expected and error but still got an SHA1 certificate. I do not even consider myself a Ruby programmer yet, but it seems that no matter what is passed to the "OpenSSL::Digest.const_defined?('SHA256')" or "OpenSSL::Digest.const_defined?('SHA1') it always appears to assume true so it does not really seem to be checking the value provided. <pre> OS: SUSE 11 SP2 (Kernal 3.0.13-0.27-default) Ruby: ruby 1.8.7 (2011-12-28 patchlevel 357) [x86_64-linux] Puppet: 3.1.0 Facter: 1.6.17 </pre> Please let me know what additional troubleshooting I can provide or output to aid troubleshooting. My version of certificate_signer.rb (modified to make HPUX 11.11 client work on ssl 0.9.7) has SHA1 first in the if block. Here is the verbose output when generating a new key: </pre> puppet cert generate --digest SHA256 test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 69:C6:EE:E2:7F:99:A5:D5:91:F2:53:30:36:29:A2:31:39:C6:E6:DF Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' </pre> And another with --digest sha256 just in case it is a case issue. <pre> puppet cert generate --digest sha256 test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 54:97:6A:17:18:F2:6E:D7:53:FF:39:23:B9:91:37:89:F1:64:85:4E Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' </pre> And just to illustrate the behavior is not specific to method I used --digest doggy_barks_a_lot. This should invoke Puppet::Error --> "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest", but does not. <pre> puppet cert generate --digest doggy_barks_a_lot test.com --verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 7F:4F:9E:D8:82:86:92:6B:A0:78:EA:3C:7B:35:3F:79:19:34:8D:85 Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem' </pre> ** Due to age of servers and inability to patch OpenSSL on these boxes, the SHA1 certificates are needed but everywhere else the SHA256 works fine. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
