Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2335

Cannot add custom CA certs for internal resources without replacing bundled CA

    Details

    • Template:
    • Acceptance Criteria:
      Hide

      There should be an alternative solution to replacing the bundled ca certs.pem file installed with the puppet agent in order to add additional CA's to be acceptable to puppet when it's performing any https request, or the workaround should be well documented.

      Show
      There should be an alternative solution to replacing the bundled ca certs.pem file installed with the puppet agent in order to add additional CA's to be acceptable to puppet when it's performing any https request, or the workaround should be well documented.
    • Team:
      Platform OS
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet ignores any certs added under /etc/puppetlabs/ssl/certs/ or as a cert bundle /etc/puppetlabs/ssl/cert.pem, which causes issues when using internal resource endpoints using custom SSL certs.

      e.g.

      /opt/puppetlabs/puppet/bin/ruby -r open-uri -e 'puts URI::parse("<internal-apt-repository>/Release.gpg").read'
      /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:948:in `connect'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:876:in `start'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:323:in `open_http'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:721:in `open'
      	from /opt/puppetlabs/puppet/lib/ruby/2.4.0/open-uri.rb:729:in `read'
      	from -e:1:in `<main> 

       

      We make use of https://github.com/pcfens/puppet-ca_cert to install a set of additional root CAs to be used across the system for any internal endpoints. However in order to upgrade to puppet 5, and allow the Apt::Key to download the the signing key stored on any of these endpoints it is necessary to replace the copy of the file provided as part of the deb (which would then show up when using debsums).

      This is not obvious and although referenced in PA-101 and PA-95 both marked as closed, there is only a workaround mentioned that one would assume should not longer be required based on the tickets being marked resolved.

      Based on the current documentation one would assume that you could use /etc/puppetlabs/puppet/ssl/cert.pem (or place the desired cert.pem under the configured ssldir) and it would be picked up.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                Bailey Darragh Bailey
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: