Bug #3770

Puppet SSL verfication is broken with multiple chained certificates

Added by Ohad Levy over 1 year ago. Updated about 1 month ago.

Status:Accepted Start date:04/22/2010
Priority:Normal Due date:04/22/2010
Assignee:- % Done:

0%
Category:SSL
Target version:Telly
Affected Puppet version: Branch:
Keywords:
Votes: 11

Description

Hi,

it seems that 0.25.x SSL is broken when using a chained CA.

I’m attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not.

it doesn’t seems to be related to the SSL initialization itself, rather to something else

h2. example script

require 'net/https'
require 'puppet/network/http_pool'

args = ["puppet", 8140]
header = { "Accept" => "pson" }
url = "/development/file_content/facts/somefact.rb"


http = Puppet::Network::HttpPool.http_instance(*args)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
begin
  puts http.get url, header
rescue 
 warn $!
end

Puppet[:config] = "/etc/puppet/puppet.conf"
Puppet.parse_config
http = Net::HTTP.new(*args)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey]))
http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert]))
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = Puppet[:localcacert]

puts http.get url, header

h2. output

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
#
"#"

Related issues

related to Puppet - Bug #4226: Puppet ca_name configuration setting should not default t... Closed 07/13/2010
related to Puppet - Bug #3120: 'localcacert' doesn't behave as described Needs Decision 01/27/2010
related to Puppet - Bug #3961: puppetca doesnt generate certificate in $certdir. Closed 06/08/2010
duplicated by Puppet - Bug #1525: local host fails to sync with mongrel/apache2 Closed 08/21/2008
follows Puppet - Bug #3640: Added CRL disable option Closed 04/21/2010

History

#1
Updated by James Turnbull over 1 year ago

  • Target version changed from 0.25.5 to 49

#2
Updated by James Turnbull about 1 year ago

  • Target version deleted (49)

#3
Updated by Nigel Kersten 9 months ago

  • Assignee deleted (Ohad Levy)
  • Target version set to Telly
  • Affected Puppet version deleted (0.25.5rc1)

#4
Updated by Nigel Kersten 9 months ago

To provide some context, I asked the dev team to spend some time investigating the scope of this fix, and it was non-trivial, enough that it’s been pushed off to Telly.

Unlike previous releases however, expect to see Telly code commits starting to make their way to the dev list in the next month.

Also available in: Atom PDF