[PA-3525] Add GlobalSignRoot CA R3 for rubygems.org in puppet-runtime - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: puppet-agent 6.22.0, puppet-agent 7.5.0
Component/s: None
Labels:
- doc_reviewed

Team:
Night's Watch
Story Points:
1
Sprint:
NW - 2021-03-17
Method Found:
Needs Assessment

Release Notes:
Bug Fix
Release Notes Summary:
Added GlobalSignRoot CA R3 for rubygems.org

QA Risk Assessment:
Needs Assessment

Description

If you run the gem.bat command on windows without first running environment.bat then you'll get an SSL error as rubygems.org cert is signed by a different CA now GlobalSignRootCA R3. This is an issue for bolt, pdk, etc.

We're already installing the old CA in GlobalSignRootCA.pem (https://github.com/puppetlabs/puppet-runtime/blob/master/resources/files/rubygems/GlobalSignRootCA.pem), but we should add the new one too.

The reason it's not an issue when first running environment.bat is because that script sets SSL_CERT_FILE etc to be the puppet-ca-bundle installed in puppet-agent, which includes the R3 cert.

See https://github.com/rubygems/rubygems/commit/2f8a3cf71a6a4737731f963f7ad71bf4954743ea#diff-4390e37145d27f817fe6e22497c15763540cb2e1e286b799e3c07491317ee665
and
https://github.com/rubygems/rubygems/commit/f6408675a02edeb7a197b4ba529a8282d822f26d#diff-4390e37145d27f817fe6e22497c15763540cb2e1e286b799e3c07491317ee665

Attachments

Activity

People

Assignee:: Ciprian Badescu

Reporter:: Josh Cooper

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020/12/18 10:19 AM

Updated:: 2021/03/10 7:40 AM

Resolved:: 2021/03/10 12:49 AM