Resolution: Won't Fix
Affects Version/s: PUP 4.0.0
Fix Version/s: None
The value for a Netscape Comment certificate extension is supposed to be an ASN.1 OctetString which wraps an IA5String. Originally, I believe this was documented here, but this link no longer appears to be active:
References to this needing to be an IA5String, however, appear in some other places:
Prior to Puppet 4, the Ruby Puppet CA would generate the Netscape Comment extension value as a raw OctetString, not wrapping a String of another type. This was incorrect. Per the work done in
PUP-3560, however, the Ruby Puppet CA would generate the extension value as an OctetString wrapping a UTF8String. Different, but also incorrect. Note that the Puppet Server CA - both versions 1.x and 2.x - correctly generate the Netscape Comment extension value as an OctetString wrapping an IA5String.
Steps to reproduce:
1) Install puppet-agent 1.x.
2) Run export RUBYLIB=/opt/puppetlabs/puppet/lib/ruby/vendor_ruby.
3) Run export PATH=/opt/puppetlabs/puppet/bin:$PATH.
4) Run puppet master --no-daemonize --debug --trace --verbose --confdir=/etc/puppetlabs/puppet --vardir=/opt/puppetlabs/puppet/cache.
5) After the WEBrick Puppet master has started, an /etc/puppetlabs/puppet/ssl/certs/[myhost].pem file should exist. On that file, run openssl asn1parse -in [myhost].pem.
The output from the command could include:
Not that the "0C" at the beginning of the OCTET STRING in this case indicates that the value is encoded as a UTF8String whereas the value should start with "16", hex value for IA5String. See http://www.obj-sys.com/asn1tutorial/node124.html for a list of ASN.1 universal tag numbers.
Since the Netscape Comment extension has been deprecated - https://www.openssl.org/docs/apps/x509v3_config.html#Netscape-String-extensions, this problem only affects the Ruby Puppet CA and not the Puppet Server CA, and the Ruby Puppet CA is intended to be deprecated in the not too distant future, resolution of this problem is probably not critical.