Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11522

Allow Puppet::HTTP::Client to connect to a server requiring client cert authentication and whose server cert is issued by a CA in the 'ssl_trust_store'

    XMLWordPrintable

Details

    • Hide

      When using the http client in puppet it should be possible to connect to a https server that requires client certs and whose server cert is issued by a third party CA. Eg. should be possible to call "post(url, options: {include_system_store: true})" and connect to server described above

      Show
      When using the http client in puppet it should be possible to connect to a https server that requires client certs and whose server cert is issued by a third party CA. Eg. should be possible to call "post(url, options: {include_system_store: true})" and connect to server described above
    • Phoenix
    • 2
    • Phoenix 2022-05-11, Phoenix 2022-05-25
    • Needs Assessment
    • 48141
    • 1
    • Bug Fix
    • Hide
      Puppet's http client can now establish a mutually authenticated TLS connection when passing "include_system_store: true" such as when retrieving file content from HTTPS servers. Previously puppet did not add its client certificate to the SSL context, so the connection would fail if the HTTPS server *required* a client certificate.
      Show
      Puppet's http client can now establish a mutually authenticated TLS connection when passing "include_system_store: true" such as when retrieving file content from HTTPS servers. Previously puppet did not add its client certificate to the SSL context, so the connection would fail if the HTTPS server *required* a client certificate.
    • Needs Assessment

    Description

      Puppet Version: 6.27.0 and 7.16.0
      Puppet Server Version: N/A
      OS Name/Version: Any

      PUP-11471 enabled using the system CA store when using HTTP::Client, however, it did not enable users to use the 'ssl_trust_store' Puppet.conf option with client SSL authentication. After PUP-11471 a user can use 'create_context' or 'load_context' to use client based authentication with 'include_system_store: true' to load the trusted CA certificates from '/opt/puppetlabs/puppet/ssl/certs/' and '/opt/puppetlabs/puppet/ssl/cert.pem'. It does not enable a user to use 'create_context' or 'load_context' to use client based authentication with 'include_system_store: true' to load the trusted CA certificates from the 'ssl_trust_store' Puppet.conf option.

      The 'ssl_trust_store' Puppet.conf option removes the requirement of using 'c_rehash' or appending the CA bundle to '/opt/puppetlabs/puppet/ssl/cert.pem', which is overwritten on any agent upgrade.

      When 'include_system_store: true' is passed, 'create_context' should load 'Puppet[:ssl_trust_store]' the same way that 'create_system_context` does here: https://github.com/puppetlabs/puppet/blob/d894861565aa95bd6f4f1cb85fe44ab62cc37854/lib/puppet/ssl/ssl_provider.rb#L73-L89

      Desired Behavior:

      'create_context' should load the certificates from 'Puppet[:ssl_trust_store]' with 'include_system_store: true'.

      Actual Behavior:
      There is no way to load the certificates from 'Puppet[:ssl_trust_store]' with 'create_context'.

      Using the system context is not an option in this scenario as it does not use the client certificates for authentication.

      Examples:

      We would expect the following to use client certificates and load the certificate bundles defined in 'Puppet[:ssl_trust_store]'. It does not work unless the CA certificate is loaded into /opt/puppetlabs/puppet/ssl/certs/ and /opt/puppetlabs/puppet/bin/c_rehash is run.

      url = 'https://example.com/file.tar.gz' # server trusted by system trust store, and demanding a client certificate signed by the puppet CA
      		 
      client = Puppet.runtime[:http]
      		 
      provider = Puppet::SSL::SSLProvider.new
      		 
      ssl_context = provider.load_context(revocation: false, include_system_store: true)
      		 
      client.get(URI(url), options: { ssl_context: ssl_context }) do |response|
      		 
        raise 'Failed to download artifact' unless response.success?
      		 
       
      		 
        response.read_body { |data| do_something(data) }
      		 
      end

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved
          mentioned in

          Page Loading...

          Activity

            People

              josh Josh Cooper
              jarret.lavallee Jarret Lavallee
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support