Bug #4226
Puppet ca_name configuration setting should not default to the fqdn of the host.
| Status: | Closed | Start date: | 07/13/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Jacob Helwig |
% Done: | 0% |
|
| Category: | - | |||
| Target version: | 2.6.2 | |||
| Affected Puppet version: | Branch: | http://github.com/jhelwig/puppet/tree/ticket/2.6.x/4226-root-ca-name | ||
| Keywords: | ssl ca crl certificate revocation | |||
| Votes: | 3 |
Description
Overview: There are numerous issues with enabled checking of certificate revocation list (CRL) files. These issues appear to be caused by the CN field of the CA certificate exactly matching the CN field of the SSL certificate used on the puppet master host.
One possible solution is to change the default value of the CN field for the CA certificate to be distinct and unique from the CN field of the SSL certificate on the puppet master. This may be accomplished by changing the default value of the ca_name configuration setting to something other than the FQDN of the host.
Expected Behavior: CRL checking should work when enabled.
Actual Behavior: CRL checking does not work when the CN field of the CA certificate exactly matches the CN field of the SSL server certificate.
Steps to reproduce: Create a default puppet master SSL setup where by the CN name of both the CA and SSL certificates is the FQDN of the host.
Enable SSL CRL checking on the puppet master.
Notice that CRL checking fails due to a conflict and confusion over the correct certificate to use.
Suggested fix: Change the behavior of the ca_name configuration setting to create a CA certificate with a CN of:
“Puppet CA #{Facter["fqdn”].value}"
rather than the current behavior of “#{Facter["fqdn”].value}“ or ”${Facter[“hostname”].value}.#{Facter[“domain”].value}"
Related issues
History
Updated by James Turnbull almost 2 years ago
- Status changed from Unreviewed to Accepted
Updated by Patrick Mohr over 1 year ago
As an added bonus, the suggested fix will also make it easier for people looking at the certificate files to figure out what’s going on.
Updated by Jeff McCune over 1 year ago
- Affected Puppet version deleted (
2.6.0rc2)
In order to reproduce this error, I ran the master on a CentOS 5.5 virtual machine and the agent on Mac OS X 10.6.4. The error seems to come from the openssl library of the agent.
root@vivian:~# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
root@vivian:~# envpuppet ruby --version
ruby 1.8.5 (2006-08-25) [x86_64-linux]
root@vivian:~# cat /etc/redhat-release
CentOS release 5.5 (Final)
root@vivian:~#
On the agent:
2612 ~ % openssl version
OpenSSL 0.9.8l 5 Nov 2009
2613 ~ % ruby --version
ruby 1.8.7 (2009-06-12 patchlevel 174) [universal-darwin10.0]
2615 ~ % sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.4
BuildVersion: 10F569
On the master, clear out ssldir then run:
puppet master --verbose --no-daemonize
On the agent, run
puppet agent --test --server mock.puppetlabs.vm
This causes the error:
2602 puppet:upstream/2.6.x % envpuppet puppetd --test --server vivian.puppetlabs.vm
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
To fix the problem, clear the SSL and CA certificates on the master and restart with a CA name other than the FQDN:
root@vivian:~# envpuppet puppetmasterd --verbose --no-daemonize --ca_name "Puppet CA $(hostname)"
Updated by Jacob Helwig over 1 year ago
- Status changed from Accepted to In Topic Branch Pending Review
- Assignee set to Jacob Helwig
- Branch set to http://github.com/jhelwig/puppet/tree/ticket/2.6.x/4226-root-ca-name
Jeff’s fix to a failing spec, and the 2 patches I submitted have all been +1'ed on the mailing list.
Updated by Paul Berry over 1 year ago
- Target version set to 2.6.2
Updated by Markus Roberts over 1 year ago
- Status changed from In Topic Branch Pending Review to Ready For Checkin
Based on out of band assurances that this has been tested and works…
Updated by Markus Roberts over 1 year ago
- Status changed from Ready For Checkin to Closed
Pushed to 2.6.x in commit:66cf3a925b4b6d9b40cbdf95f2be6575bb05a881