Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4005

AIO agent CSR extension not compatible with current puppetserver packages

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.0.0
    • Component/s: None
    • Labels:
    • Template:
    • Story Points:
      2
    • Sprint:
      Client 2015-02-18, Client 2015-03-04

      Description

      Updated:

      We encountered this issue while testing AIO agents against puppetserver 2.0 packages due to puppetserver using an older jvm-ssl-utils library that didn't parse CSR extensions correctly. We temporarily disabled the puppet acceptance test while waiting for a new puppetserver 2.0 package to be promoted. Once that happened we reenabled our acceptance test, verifying the AIO agent is compatible with puppetserver 2.0. There is nothing to document as this wouldn't have affected previously released versions of puppet or puppetserver.

      Original:

      The certificate_extensions acceptance test generates a csr_attributes.yaml file containing:

      ---
      extension_requests:
        pp_uuid: b5e63090-5167-11e3-8f96-0800200c9a66
        pp_instance_id: i-3fkva
        1.3.6.1.4.1.34380.1.2.1: db-server
        1.3.6.1.4.1.34380.1.2.2: webops
      

      It executes the agent, generating a CSR with the above extensions:

            on(agent, puppet("agent", "--test",
                             "--server", master,
                             "--waitforcert", 0,
                             "--csr_attributes", agent_csr_attributes,
                             "--certname", agent_certname,
                             "--ssldir", agent_ssldir,
                             ...
      

      The actual CSR appears to have corrupted extension values:

      [root@g99v11p01efnb1x certificate_requests]# openssl req -in g99v11p01efnb1x.delivery.puppetlabs.net-extensions.pem  -noout -text
      Certificate Request:
          Data:
              Version: 0 (0x0)
              Subject: CN=g99v11p01efnb1x.delivery.puppetlabs.net-extensions
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (4096 bit)
                      Modulus:
                      ...
                      Exponent: 65537 (0x10001)
              Attributes:
              Requested Extensions:
                  1.3.6.1.4.1.34380.1.1.1:
                      .$b5e63090-5167-11e3-8f96-0800200c9a66
                  1.3.6.1.4.1.34380.1.1.2:
                      ..i-3fkva
                  1.3.6.1.4.1.34380.1.2.1:
                      ..db-server
                  1.3.6.1.4.1.34380.1.2.2:
                      ..webops
      

      Notice the extra two bytes at the beginning of each extension.

      The master extracts the trusted data, and adds a file to the catalog whose content is the trusted certificate data serialized as YAML.

      The test compares the resulting file on the agent with the following:

                'extensions' => {
                  'pp_uuid' => 'b5e63090-5167-11e3-8f96-0800200c9a66',
                  'pp_instance_id' => 'i-3fkva',
                  '1.3.6.1.4.1.34380.1.2.1' => 'db-server',
                  '1.3.6.1.4.1.34380.1.2.2' => 'webops'
      

      And it fails with:

        Test Case tests/ssl/certificate_extensions.rb reported: #<RuntimeError: PuppetAcceptance::DSL::Helpers.with_puppet_running_on failed (check backtrace for location) because: --- expected
      +++ actual
      @@ -1 +1 @@
      -{"authenticated"=>"remote", "certname"=>"g99v11p01efnb1x.delivery.puppetlabs.net-extensions", "extensions"=>{"pp_uuid"=>"b5e63090-5167-11e3-8f96-0800200c9a66", "pp_instance_id"=>"i-3fkva", "1.3.6.1.4.1.34380.1.2.1"=>"db-server", "1.3.6.1.4.1.34380.1.2.2"=>"webops"}}
      +{"authenticated"=>"remote", "certname"=>"g99v11p01efnb1x.delivery.puppetlabs.net-extensions", "extensions"=>{"pp_uuid"=>"\f$b5e63090-5167-11e3-8f96-0800200c9a66", "pp_instance_id"=>"\f\ai-3fkva", "1.3.6.1.4.1.34380.1.2.1"=>"\f\tdb-server", "1.3.6.1.4.1.34380.1.2.2"=>"\f\u0006webops"}}
      

      Note \f is the ASCII code for 12, which in ASN.1 is UTF8String.

      Also webops is 6 characters long and b5e63090-5167-11e3-8f96-0800200c9a66 is 36 characters long, which corresponds to the ASCII character $. So it appears the agent is generating extensions whose value contains the ASN.1 type and length.

      Likely this is related to PUP-3560 and the merge commit https://github.com/puppetlabs/puppet/commit/82b7a84bd017c77c95ab02a4e3547e228d7234e1, perhaps triggered because we've moved to ruby 2.1.5 and/or our compiled openssl.

      [root@g99v11p01efnb1x certificate_requests]# ruby --version
      ruby 2.1.5p273 (2014-11-13 revision 48405) [x86_64-linux]
      [root@g99v11p01efnb1x certificate_requests]# openssl version
      OpenSSL 1.0.0q 15 Jan 2015
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  josh Josh Cooper
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: