Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5069

Puppet's HTTP API does not allow callers to trust system cacerts



    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.14.0
    • None
    • Coremunity
    • Platform Core KANBAN
    • Enhancement
    • The HTTP client now accepts a parameter to trust the system certificate store when making HTTPS connections. By default, it only trusts the puppet PKI. The API is private and may change in a future release.


      Puppet's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the Net::HTTP#store and call OpenSSL::X509::Store#set_default_paths, but this is not currently possible.

      The PMT works around this by rolling its own Net::HTTP object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.

      Next Steps:

      1. Update puppet, report and fileserver http services to accept an optional include_system_store argument which defaults to false.
      2. Remove the ssl_context argument from the same set of services. Note the ca server needs to remain as-is, because the agent needs to pass in an ssl_context during ssl bootstrapping.
      3. Update the HTTP client get, post, etc methods to accept either include_system_store or ssl_context but not both.
      4. Add a Puppet::HTTP::Client#system_ssl_context method that calls Puppet::SSL::SSLProvider.create_system_context and memoizes it
      5. If include_system_store is true, then Puppet::HTTP::Client#get (etc) should use the system_ssl_context for that connection.

      Acceptance Criteria:

      1. The client should be able to connect to well-known servers like github.com, whose SSL cert is not issued by the puppet PKI.
      2. The client should not perform revocation checking, since the CA cert won't be in puppet's CRL bundle.
      3. A connection created with the system_ssl_context should not be reused when making a connection to puppet infrastructure (using the puppet_ssl_context) and vice-versa. This can be verified looking at the http_debug log and seeing when new connections are started vs reused.


        Issue Links



              josh Josh Cooper
              josh Josh Cooper
              0 Vote for this issue
              3 Start watching this issue



                Zendesk Support