Jira (PUP-7985) `puppet cert generate` uses the wrong CA certificate
Title: Message Title Maggie Dreyer commented on PUP-7985 Re: `puppet cert generate` uses the wrong CA certificate We are replacing the puppet cert subcommand with a version under the puppetserver ca CLI, this will automatically be fixed as part of that switchover. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7985) `puppet cert generate` uses the wrong CA certificate
Title: Message Title Craig Gomes updated an issue Puppet / PUP-7985 `puppet cert generate` uses the wrong CA certificate Change By: Craig Gomes Team: Platform Core Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7985) `puppet cert generate` uses the wrong CA certificate
Title: Message Title Adrien Thebo updated an issue Puppet / PUP-7985 `puppet cert generate` uses the wrong CA certificate Change By: Adrien Thebo When `puppet cert generate` is invoked, it configures itself as a ["local" CA|https://github.com/puppetlabs/puppet/blob/5.2.0/lib/puppet/application/cert.rb#L288-L292]. This [configures the indirector|https://github.com/puppetlabs/puppet/blob/5.2.0/lib/puppet/ssl/host.rb#L93-L95] for SSL files to use the CA locations, but cache files in the agent location. The intent of this is unclear but it looks like this is done in order to [ cache generated files |https://projects.puppetlabs.com/issues/3961] in a location that the Puppet agent will read.This becomes a problem if the contents of `cacert` does not match the contents of `localcacert`. In an environment where intermediate CA certificates are in use, `cacert` needs to contain the intermediate CA certificate (since it contains information used during signing certificates) while `localcacert` needs to contain the root certificate (because the Puppet agent needs the root certificate in order to validate the server SSL certificate chain).If this case occurs, when Puppet configures itself to use the CA file terminii but uses the normal SSL file terminii as a cache. Because the cached files are consulted first Puppet will ignore the `cacert` location and read the `localcacert` file. Because Puppet is reading the `cakey` file for signing certificates but the `localcacert` for certificate information, [validating the key against the certificate will fail|https://github.com/puppetlabs/puppet/blob/5.2.0/lib/puppet/ssl/host.rb#L209].To add to the fun, when this circumstance appears Puppet is hardcoded to indicate that the [agent private key and certificate don't match|https://github.com/puppetlabs/puppet/blob/5.2.0/lib/puppet/ssl/host.rb#L213], and debugging this is effectively impossible without injecting pry invocations through the source code. Add Comment This message was sent by Atlassian JIRA
Jira (PUP-7985) `puppet cert generate` uses the wrong CA certificate
Title: Message Title Adrien Thebo created an issue Puppet / PUP-7985 `puppet cert generate` uses the wrong CA certificate Issue Type: Bug Assignee: Unassigned Created: 2017/09/22 4:28 PM Priority: Normal Reporter: Adrien Thebo When `puppet cert generate` is invoked, it configures itself as a "local" CA. This configures the indirector for SSL files to use the CA locations, but cache files in the agent location. The intent of this is unclear but it looks like this is done in order to cache generated files in a location that the Puppet agent will read. This becomes a problem if the contents of `cacert` does not match the contents of `localcacert`. In an environment where intermediate CA certificates are in use, `cacert` needs to contain the intermediate CA certificate (since it contains information used during signing certificates) while `localcacert` needs to contain the root certificate (because the Puppet agent needs the root certificate in order to validate the server SSL certificate chain). If this case occurs, when Puppet configures itself to use the CA file terminii but uses the normal SSL file terminii as a cache. Because the cached files are consulted first Puppet will ignore the `cacert` location and read the `localcacert` file. Because Puppet is reading the `cakey` file for signing certificates but the `localcacert` for certificate information, validating the key against the certificate will fail. To add to the fun, when this circumstance appears Puppet is hardcoded to indicate that the agent private key and certificate don't match, and debugging this is effectively impossible without injecting pry invocations through the source code.
