Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-3525

Add GlobalSignRoot CA R3 for rubygems.org in puppet-runtime

    XMLWordPrintable

    Details

    • Template:
    • Team:
      Night's Watch
    • Story Points:
      1
    • Sprint:
      NW - 2021-03-17
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Added GlobalSignRoot CA R3 for rubygems.org
    • QA Risk Assessment:
      Needs Assessment

      Description

      If you run the gem.bat command on windows without first running environment.bat then you'll get an SSL error as rubygems.org cert is signed by a different CA now GlobalSignRootCA R3. This is an issue for bolt, pdk, etc.

      We're already installing the old CA in GlobalSignRootCA.pem (https://github.com/puppetlabs/puppet-runtime/blob/master/resources/files/rubygems/GlobalSignRootCA.pem), but we should add the new one too.

      The reason it's not an issue when first running environment.bat is because that script sets SSL_CERT_FILE etc to be the puppet-ca-bundle installed in puppet-agent, which includes the R3 cert.

      See https://github.com/rubygems/rubygems/commit/2f8a3cf71a6a4737731f963f7ad71bf4954743ea#diff-4390e37145d27f817fe6e22497c15763540cb2e1e286b799e3c07491317ee665
      and
      https://github.com/rubygems/rubygems/commit/f6408675a02edeb7a197b4ba529a8282d822f26d#diff-4390e37145d27f817fe6e22497c15763540cb2e1e286b799e3c07491317ee665

        Attachments

          Activity

            People

            Assignee:
            ciprian.badescu Ciprian Badescu
            Reporter:
            josh Josh Cooper
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support