Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Adrien Thebo commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file This ticket has the same issues that we have with using multiple CRLs, as described in this comment on PUP-3788. Right now Puppet/the Indirector assumes the certificate endpoint will return a single entry and doesn't have good support for searching for and caching multiple entries. Once we do the necessary work to implement PUP-3788 this will be simpler, but implementing this means making some nontrivial changes to the indirector or extracting the CA certificate downloading and caching logic out of the indirector. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Story Points: 3 8 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Josh Cooper commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file Charlie Sharpsteen Since the CA REST endpoint serves clients other than puppet agents, we can't assume everyone has the intermediate CA. Also the TLS RFC says this about the Server Certificate message: Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. So probably best to always send the intermediate CA, though we could drop the root CA from the chain.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core 2017-09-05 Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core 2017- 08 09 - 22 05 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Charlie Sharpsteen commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file Seems like a CA bundle might also have an efficiency advantage as it creates a larger initial download, but then spares the server from having to include the intermediate certs with every connection established. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Josh Cooper commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file AFAIK, the agent doesn't need to download a CA bundle in order to support intermediate CAs. The agent only needs to download the root CA that provides the trust anchor. It will work because SSL handshake will exchange intermediate cert(s) provided: 1. puppetserver's ssl-cert setting points to a file containing the entire server cert chain [leaf, intermediate(s), root] 2. puppetserver's ssl-ca-cert file contains the CAs that the server will trust for client auth (most likely containing the same intermediate and root certs as above). Provided that's true, then you'll see the server send its complete chain to the agent, for example: # openssl s_client -connect wf7kdc7e00jzrbs.delivery.puppetlabs.net:8140 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem CONNECTED(0003) depth=2 C = US, ST = Oregon, L = Portland, O = Nepo, CN = Root CA verify return:1 depth=1 C = US, ST = Oregon, L = Portland, O = Nepo, CN = Puppet CA verify return:1 depth=0 CN = wf7kdc7e00jzrbs.delivery.puppetlabs.net verify return:1
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core Grooming 2017-08-22 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core 2017-08-22 Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Sprint: Platform Core 2017-08- 08 22 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Maggie Dreyer Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Jeremy Barlow Sub-team: Server Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Nolan Gibb commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file Having this fixed would solve a big headache. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Jeremy Barlow If a bundle of CA certificates is stored where the CA service's {{cacert}} setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its {{localcacert}} location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x.After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /C=US/ST=Oregon/O=Puppet/CN=intermediateca.example.org/emailAddress=intermediat...@example.org]{noformat}The above error would happen for the case that the master's server certificate were issued by an intermediate CA and only the intermediate CA certificate were stored to the agent's {{localcacert}} file -- not the certificate of the issuing root CA.Effectively, then, in order for the master to use an intermediate CA certificate to issue agent certificates, one would apparently have to manually put the root + intermediate CA bundle in place at the agent's {{localcacert}} location since only one of the CA certificates from the bundle is stored to the {{localcacert}} as part of the agent run. It would seem better instead for the full CA certificate bundle to be stored to the agent's {{localcacert}} location.h5. Steps to Reproduce1) Install Puppet Server.2) Copy the attached ca_crl.pem, ca_crt.pem, and ca_key.pem files to the /etc/puppetlabs/puppet/ssl/ca directory.The “ca_crl.pem” and “ca_crt.pem” files contain CRL and CA PEMs for both the Root and Intermediate CAs, respectively. The “ca_key.pem” file contains the Intermediate CA’s private key.3) Add the following lines to the /etc/puppetlabs/puppet/puppet.conf file in order to workaround the lack of support for processing multiple CRL files per the CA certificate chain - see PUP-3788:{noformat}[agent]certificate_revocation = false{noformat} 3 4 ) Run the following command:{noformat}puppet cert generate `facter fqdn`{noformat} 4 5 ) Start Puppet Server 5 6 ) Do an agent run, targeting a unique ssl directory so that the CA cert and CRL which are downloaded will differ from those in the master ssl directory.{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}The agent run should exit with a line indicating that the certificate needs to be signed.{noformat}Exiting; no certificate found and waitforcert is disabled{noformat} 6 7 ) Sign the myagent certificate request.{noformat}puppet cert sign myagent{noformat} 7 8 ) Repeat the previous agent run:{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}h6. Expected:Agent run is successful, with no warnings.h6. Actual:An error message is displayed:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Adrien Thebo commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file Eric Thompson thanks, this one is on my radar Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Eric Thompson updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Eric Thompson Team: Systems Engineering Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Eric Thompson commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file ping Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Karen Van der Veer Team: Engineering "Pool" Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Jeremy Barlow If a bundle of CA certificates is stored where the CA service's {{cacert}} setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its {{localcacert}} location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x.After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /C=US/ST=Oregon/O=Puppet/CN=intermediateca.example.org/emailAddress=intermediat...@example.org]{noformat}The above error would happen for the case that the master's server certificate were issued by an intermediate CA and only the intermediate CA certificate were stored to the agent's {{localcacert}} file -- not the certificate of the issuing root CA.Effectively, then, in order for the master to use an intermediate CA certificate to issue agent certificates, one would apparently have to manually put the root + intermediate CA bundle in place at the agent's {{localcacert}} location since only one of the CA certificates from the bundle is stored to the {{localcacert}} as part of the agent run. It would seem better instead for the full CA certificate bundle to be stored to the agent's {{localcacert}} location.h5. Steps to Reproduce1) Install Puppet Server.2) Copy the attached ca_crl.pem, ca_crt.pem, and ca_key.pem files to the /etc/puppetlabs/puppet/ssl/ca directory.The “ca_crl.pem” and “ca_crt.pem” files contain CRL and CA PEMs for both the Root and Intermediate CAs, respectively. The “ca_key.pem” file contains the Intermediate CA’s private key.3) Add the following lines to the /etc/puppetlabs/puppet/puppet.conf file in order to workaround the lack of support for processing multiple CRL files per the CA certificate chain - see SERVER PUP - 1315 3788 :{noformat}[agent]certificate_revocation = false{noformat}3) Run the following command:{noformat}puppet cert generate `facter fqdn`{noformat}4) Start Puppet Server5) Do an agent run, targeting a unique ssl directory so that the CA cert and CRL which are downloaded will differ from those in the master ssl directory.{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}The agent run should exit with a line indicating that the certificate needs to be signed.{noformat}Exiting; no certificate found and waitforcert is disabled{noformat}6) Sign the myagent certificate request.{noformat}puppet cert sign myagent{noformat}7) Repeat the previous agent run:{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}h6. Expected:Agent run is successful, with no warnings.h6. Actual:An error message is displayed:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to ge
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Jeremy Barlow If a bundle of CA certificates is stored where the CA service's {{cacert}} setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its {{localcacert}} location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x.After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /C=US/ST=Oregon/O=Puppet/CN=intermediateca.example.org/emailAddress=intermediat...@example.org]{noformat}The above error would happen for the case that the master's server certificate were issued by an intermediate CA and only the intermediate CA certificate were stored to the agent's {{localcacert}} file -- not the certificate of the issuing root CA.Effectively, then, in order for the master to use an intermediate CA certificate to issue agent certificates, one would apparently have to manually put the root + intermediate CA bundle in place at the agent's {{localcacert}} location since only one of the CA certificates from the bundle is stored to the {{localcacert}} as part of the agent run. It would seem better instead for the full CA certificate bundle to be stored to the agent's {{localcacert}} location.h5. Steps to Reproduce1) Install Puppet Server.2) Copy the attached ca_crl.pem, ca_crt.pem, and ca_key.pem files to the /etc/puppetlabs/puppet/ssl/ca directory.The “ca_crl.pem” and “ca_crt.pem” files contain CRL and CA PEMs for both the Root and Intermediate CAs, respectively. The “ca_key.pem” file contains the Intermediate CA’s private key.3) Add the following lines to the /etc/puppetlabs/puppet/puppet.conf file in order to workaround the lack of support for processing multiple CRL files per the CA certificate chain - see SERVER-1315:{noformat}[agent]certificate_revocation = false{noformat}3) Run the following command:{noformat}puppet cert generate `facter fqdn`{noformat}4) Start Puppet Server5) Do an agent run, targeting a unique ssl directory so that the CA cert and CRL which are downloaded will differ from those in the master ssl directory.{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}The agent run should exit with a line indicating that the certificate needs to be signed.{noformat}Exiting; no certificate found and waitforcert is disabled{noformat}6) Sign the myagent certificate request.{noformat}puppet cert sign myagent{noformat}7) Repeat the previous agent run:{noformat}puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl{noformat}h6. Expected:Agent run is successful, with no warnings.h6. Actual:An error message is displayed:{noformat}Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certi
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow commented on PUP-6697 Re: Allow full downloaded CA bundle to be stored to agent's localcacert file Eric Sorenson fyi. This one seems pretty closely related to SERVER-1315 but I thought it would be worth calling out as a separate ticket. This one would probably involve work in the Puppet agent code whereas I think SERVER-1315 would be purely in Clojure, server-side code. Let me know if you think this ticket doesn't match your expectations. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Change By: Jeremy Barlow Attachment: ca_key.pem Attachment: ca_crt.pem Attachment: ca_crl.pem Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6697) Allow full downloaded CA bundle to be stored to agent's localcacert file
Title: Message Title Jeremy Barlow created an issue Puppet / PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file Issue Type: Bug Affects Versions: PUP 4.6.2 Assignee: Unassigned Components: Puppet Server Created: 2016/09/11 7:05 PM Priority: Normal Reporter: Jeremy Barlow If a bundle of CA certificates is stored where the CA service's cacert setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its localcacert location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x. After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following: Error: Could not request certificate: SSL_connect returned=1