On Mon, 20 Jun 2016, John Gelnaw wrote:
Many thanks for the re-signing of the CA idea.
I can report that it worked for me, although I had to run the webrick version
of puppetmaster to regenerate the puppet master's certificate.
Okay -- so, I discovered a few things that I should share, and perhaps
that others should perhaps heed as well.
Take your old certificate, and plug it in here:
https://redkestrel.co.uk/products/decoder/ (Super helpful tool!)
And then try your old cert. You'll notice some differences.
There's a few things that you should do if you're following my
previous instructions.
Additional Certificate Fields
=============================
When you sign a certificate, there can be extra fields in the certificate,
beyond the basic "here's a key, signed by another key".
There's at least a couple fields that we didn't add -- some may matter in
the future, some may not.
For example, there's a comment field (puppet probably will never care
about this), as well as some special attributes that say CA: True.
(Puppet may in the future care about this -- a proper root ca cert will
have this field set).
There's also a few hashes, a "subject key identifier" and an "authority
key identifier".
Finally, there's some certificate purpose fields present that list what a
cert may be used for. (Puppet for the moment doesn't seem to look for or
check these, but if they decide to be more strict in the future, you want
to at least match the puppetmaster's old behavior).
To get these in, I made use of my openssl.cnf (on FreeBSD this is in
/etc/ssl), and added the following fields:
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
nsComment = "Ruby Generated Certificate"
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
And ran OpenSSL with the following args:
openssl x509 -req -in /tmp/ca_cert.csr -signkey
/var/puppet/ssl/ca/ca_key.pem -days 3500 -out /tmp/ca_crt.pem
-extfile /etc/ssl/openssl.cnf -extensions v3_ca -sha256
Better Hashtypes for your certs
===============================
The redkestrel tool will complain about an sha1 hash on your cert (as will
ssllabs, and other tools -- with a commercial certificate, you'd often be
eligibile for a free re-issue).
I added -sha256 because openssl defaults to an sha1 signature on my
platform, and this is deprecated. I did make sure my oldest clients could
still validate that cert (your linuxes and other OSes should be tested as
well).
It's possible (but unlikely) that a future update to OpenSSL or
puppet could cause it to no longer like sha1 signed hashes -- similar to
the way chrome and other browsers are choosing to no longer honor them.
I don't know if puppet currently uses a better algo in current versions.
Note that there's openssl docbugs listed for the fact that -sha256 isn't
listed in the usage messages, but please do feel free to google -- I
wouldn't expect you to randomly trust running undocumented openssl
commands from a stranger on the net. :)
Inventory.txt
=============
Finally, take note of the fact that your new certificate doesn't show up
in inventory.txt -- adding it manually might not be a bad idea, just in
case, but openssl itself doesn't know how to update that file. (I'm not
sure why the puppet authors didn't use the standard openssl CA format for
their key list). Since 'puppet cert clean' uses that file to get the
serial number to revoke, you probably want your new cert there for
completeness.
Moving Forward
==============
At least for me, this is still an older key that I'm using (five years
ago, the default was 1024-bit) -- so there's a plan to replace it,
gradually, with a new one with modern expectations (4096-bit, most
likely). What we've done here is simply made sure that our old key
doesn't expire out from under us while we're rolling this stuff out.
There's still a bunch of questions and problems I've got with this
process, but I do hope my previous statements and the above are helpful.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
