Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Jeffrey Clark commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names puppet cert sign --allow-dns-alt-names XXX.XX.com Relevant config on the agent: [main] dns_alt_names=DNS:XXX.XX.com,YYY.YY.com,IP:1.2.3.4 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names I'll take a look at this, thanks for reporting it! What command were you using to sign the CSR from the command line? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title
Jeffrey Clark commented on PUP-8942
Re: Support issuing certificates with IP Address Subject Alternative Names
A quick monkey patch, and IP sans signing works.
require 'puppet/ssl/certificate_factory'
require 'puppet/ssl/certificate_authority'
# PUP-8942 doesnt work, so make it work
module Puppet::SSL::CertificateAuthorityExtensions
def check_internal_signing_policies(hostname, csr, options = {})
begin
return super
rescue Puppet::SSL::CertificateAuthority::CertificateSigningError => msg
if msg.to_s.include?('contains a subjectAltName outside the DNS label space')
return true
end
raise
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Jeffrey Clark commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names While it will generate a certificate request, it's currently impossible to sign it with puppet ca. Error: CSR 'XX.com' contains a subjectAltName outside the DNS label space: DNS:XX.com, DNS:XXX.XX.com, IP Address:1.2.3.4. To continue, this CSR needs to be cleaned. Based on the description/title, this task is not complete. Is there a follow-up? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title PLJenkins updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: PLJenkins Fix Version/s: PUP 5.5.4 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title PLJenkins updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: PLJenkins Fix Version/s: PUP 5.5.3 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names Going to resolve this since we ended up merging a more minimal changeset that just enables specifying IP alt names without changing the names of any of the commands or settings. If we still want to do that at some point in the future (possibly when we do the work to remove CA-related faces, see PUP-8998 et al.), we should file separate tickets for it. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Maggie Dreyer Fix Version/s: PUP 5.5.z Fix Version/s: PUP 5.5.4 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names This has passed CI. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names The first two are correct, although there should be a space rather than an equals sign after --dns_alt_names. I'm not sure about the cert list -a output, so I'll look into that and get back to you. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte QA Risk Assessment: No Action Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title
Amy Lazarte updated an issue
Puppet / PUP-8942
Support issuing certificates with IP Address Subject Alternative Names
Change By:
Amy Lazarte
Comment:
I think it should be {code:java}puppet cert generate --dns-alt-names DNS:alt1.example.com,alt2.example.com,IP:203.0.113.1{code} without the equals sign. The puppet cert list -a output looks like {code:java}+ "localhost" (altnames: "DNS:alt1.example.com", "DNS:alt2.example.com", "IP Address:203.0.113.1"){code}I think, although I'll look into that to confirm.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names I think it should be puppet cert generate --dns-alt-names DNS:alt1.example.com,alt2.example.com,IP:203.0.113.1 without the equals sign. The rest looks good to me. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Garrett Guillotte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names Is this an accurate example for docs, based on the unit test contents? To configure alternative names, add this configuration setting to your certificate authority (CA) server's puppet.conf for certificate requests: :dns_alt_names => 'DNS:alt1.example.com, alt2.example.com, IP: 203.0.113.1' and run this command from your CA server's command line when generating certificates: puppet cert generate --dns-alt-names=DNS:alt1.example.com,alt2.example.com,IP:203.0.113.1 You can confirm the configured alternative names by running puppet cert list -a from your CA server: (alt names: ["DNS:alt1.example.com", "DNS:alt2.example.com", "IP Address:203.0.113.1"]) I'm least certain about the puppet cert list -a output. Add Comment
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Maggie Dreyer Release Notes Summary: Users can now use IP addresses for the dns-alt-names options and settings . DNS subject alternative names should be prefixed with "DNS:" while IP names should be prefixed with "IP:". Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Release Notes Summary: Users can now use IP addresses for dns-alt-names. Release Notes: New Feature Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names We're going to hold off renaming the flag for this ticket, since it wound up being more complicated than anticipated. Filed https://tickets.puppetlabs.com/browse/PUP-8965 with the details on that. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title
Maggie Dreyer updated an issue
Puppet / PUP-8942
Support issuing certificates with IP Address Subject Alternative Names
Change By:
Maggie Dreyer
Puppet Server currently supports and signs CSRs with a DNS SAN, but 'puppet generate' doesn't have an option to generate with an IP SAN, and Puppet Server has no flag to accept that. IP SANs are needed for a growing number of tools written in Golang, including Hashicorp's Vault.subject altnames must be configured via the CLI. security issues otherwise{{puppet cert generate}} command.this is not faced based, so we are probably cool updating and retaining this subcommand.multiple dns based altnames should still be supported, comma separated alias *Out of scope*We should file a separate ticket for changing the old name of the flag to point to {{subject_alt_names}}, since this will need some more careful consideration of the new flag (so the old way still works) interactions between, flags, settings, faces, and applications.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title
Maggie Dreyer updated an issue
Puppet / PUP-8942
Support issuing certificates with IP Address Subject Alternative Names
Change By:
Maggie Dreyer
Sorry for the slight bit of SEO in the title, just wanted to reduce duplication. Puppet Server currently supports and signs CSRs with a DNS SAN, but 'puppet generate' doesn't have an option to generate with an IP SAN, and Puppet Server has no flag to accept that. IP SANs are needed for a growing number of tools written in Golang, including Hashicorp's Vault.subject altnames must be configured via the CLI. security issues otherwise{{puppet cert generate}} command.this is not faced based, so we are probably cool updating and retaining this subcommand. *the puppet changes here for the subcommand will need to be in a PUP ticket* multiple dns based altnames should still be supported, comma separatedalias the old flag to point to the new flag (so the old way still works)
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Garrett Guillotte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names The primary Puppet Server documentation around dns_alt_names is the Scaling Puppet Server doc. The option is mentioned along with other puppet.conf options/CLI flags in the configuration reference generated from Puppet (not Server) code, and in a few puppet.conf examples. It's also mentioned in a few other places in docs outside of Server, particularly: Upgrading to Puppet Server and DB from Puppet 3.8 Configuring Puppet Server as an intermediate CA Important puppet.conf settings Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Garrett Guillotte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Garrett Guillotte Component/s: DOCS Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names As it turns out, we need to input a string into the ruby bindings for OpenSSL, and that string expects a colon separator. However, it appears to still work with ipv6 with that colon separator. For that reason, I'm thinking we should probably not change to using = as a separator. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Eric Sorenson commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names Maggie Dreyer that'd be my preference, yes - otherwise it's a hard break for existing tooling Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names Do we need to maintain support for the old, untagged format (i.e. if a string comes in with no types, it defaults to DNS)? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte assigned an issue to Amy Lazarte Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Assignee: Amy Lazarte Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Maggie Dreyer moved an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Maggie Dreyer Component/s: Certificate Authority Key: SERVER PUP - 1596 8942 Project: Puppet Server Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
