Jira (PDB-108) Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate
Title: Message Title Claudia Petty updated an issue PuppetDB / PDB-108 Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate Change By: Claudia Petty Labels: new-feature redmine Add Comment This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.19385.1385040192000.2440.1687359428397%40Atlassian.JIRA.
Jira (PDB-108) Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-108 Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate Change By: Kenneth Barber Story Points: 8 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-108) Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate
Title: Message Title Hans Lellelid commented on an issue Re: Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate Just wanting to add my comment from the redmine issue: Hmmm, my code obviously needed some sort of wrapper tag or something; sorry about that. Also, I should add that I do not know if changing the Command class is enough. I see there are other puppetdb classes that subclass Indirector::REST; obviously that parent class also uses the Puppet-configured Net::HTTP that will have cert issues. So a more general solution may be required there ' UPDATE: I can confirm what was probably obvious; the command.rb change is not enough. The non-write aspects of puppetdb fail for cert verification. I’ve attempted to override the network() method from the Puppet::Indirector::REST class, but so far not much luck. I’m sure I’ll get to the bottom of it eventually. Add Comment PuppetDB / PDB-108 Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate This is from thread: https://groups.google.com/forum/#!topic/puppet-users/kkcOMpw5Rzo Basically, we need to be able to have the puppetdb server SSL certificates signed by a CA that is *not* our puppetmaster's CA. We need this for a couple reasons: - We have dozens of puppetmasters with their own CAs managing their own ecosystems, but we want a sing...
Jira (PDB-108) Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate
Title: Message Title
Hans Lellelid updated an issue
PuppetDB / PDB-108
Allow specification of alternate CA for puppetmaster to use to validate puppetdb server ceritifcate
Change By:
Hans Lellelid
Thisisfromthread:https://groups.google.com/forum/#!topic/puppet-users/kkcOMpw5RzoBasically,weneedtobeabletohavethepuppetdbserverSSLcertificatessignedbyaCAthatis*not*ourpuppetmaster'sCA.Weneedthisforacouplereasons:-WehavedozensofpuppetmasterswiththeirownCAsmanagingtheirownecosystems,butwewantasinglepuppetdb.(Socurrentlywecouldconfigurepuppetdbtoworkforanyoneofourpuppetmasters...butonlyoneofthem.)-Puppetdbisaresourcethatwillbeusedbyworkstations(i.e.openedinthebrowser).OurworkstationsaresettotrusttheCAchainthatweuseforwebsites,butnottotrustthepuppetmastercerts(there'sno[other]placewherewewouldexpecttoseepuppetmaster-issuedcertsinthebrowser.)TherootoftheproblemappearstobetheuseofthePuppet::Network::HttpPool.http_instanceinthePuppet::Util::Puppetdb::Commandclass.TheNet::HTTPinstancethatisconfiguredbyPuppetissettouseaspecificcert_store,andca_filethatwillonlytrustserversthataresignedbythePuppet[:localcacert]ca($certdir/certs/ca.pem).Modifyingtheca.pemtoincludeadditionalcertsdoesnotwork;Ihavenotfullyrunthistoground,butitappearstobeduetothefactthatthecert_storeisalsobeingconfiguredfortheconnection;andthisisoverriding(?)whichcertscanbetrusted.What*does*appeartoworkisreplacingtheuseofthePuppet-configuredhttpclientinCommand.submitwith: {code:none} http=Net::HTTP.new(config.server,config.port)http.use_ssl=truehttp.ca_file=config.cacerthttp.verify_mode=OpenSSL::SSL::VERIFY_PEER#(AndmodifiedPuppet::Util::Puppetdb::Configtosupportanewcacertconfigoption,defaultingittoPuppet[:localcacert]forbackwardscompat) {code} Thatmaybewhatwehackinuntilthisfeatureis(hopefully!)officiallysupported.
Add Comment
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
