Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10425

file {} fails to verify certificate when downloading via https

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • PUP 6.14.0
    • None
    • None
    • None
    • Linux, Ubuntu 18.04 LTS

    • PUP Bug Template
    • Monolithic
    • Other
    • Other
    • Hide

      Certificate validation works again as in 6.13.0.

      Show
      Certificate validation works again as in 6.13.0.
    • Needs Assessment
    • Needs Assessment

    Description

      Puppet Version: See above
      Puppet Server Version: 6.9.0
      OS Name/Version: Ubuntu 18.04 LTS (not listed in drop down above, neither for agent, nor for master)

      After updating Puppet agent to 6.14.0 we see a failure in certificate validation when using a file resource with a https:// URL, which didn't happen before. The resource in question looks like this (simplyfied):

      file { 'cache_node_jar':
        path    => "/tmp/build-cache-node-8.1.jar",
        source  => "https://docs.gradle.com/build-cache-node/jar/build-cache-node-8.1.jar",
        ensure  => present,
      }

      which produced the following error:

      certificate verify failed [unable to get local issuer certificate for CN=CloudFlare Inc ECC CA-2,O=CloudFlare\, Inc.,L=San Francisco,ST=CA,C=US]

      Since we have a Nexus server running in our environment (which also has a valid certificate, issued by Comodo), I set up a cache repository there and changed the URL, so that the resource now looks like this: 

      file { 'cache_node_jar':
        path    => "/tmp/build-cache-node-8.1.jar",
        source  => "https://nexus.ourdomain.com/repository/gradle-cache/build-cache-node-8.1.jar",
        ensure  => present,
      }

      but this only led to a small change in the error message:

      certificate verify failed [self signed certificate in certificate chain for CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE]

      but, as mentioned, the certificate is not self-signed. Downgrading the agent back to 6.13.0 resolved the problem.

      Desired Behavior:

      Certificate should be correclty validated as in 6.13.0.

      Actual Behavior:

      See above.

       

      Please also consider this a feature request to add an option to file resources to skip certificate validation. Most other tools I know have such an option.

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              dhs@recommind.com Dirk Heinrichs
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support