Allow full downloaded CA bundle to be stored to agent's localcacert file

If a bundle of CA certificates is stored where the CA service's cacert setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its localcacert location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x.

After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following:

Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /C=US/ST=Oregon/O=Puppet/CN=intermediateca.example.org/emailAddress=intermediateca@example.org]

The above error would happen for the case that the master's server certificate were issued by an intermediate CA and only the intermediate CA certificate were stored to the agent's localcacert file – not the certificate of the issuing root CA.

Effectively, then, in order for the master to use an intermediate CA certificate to issue agent certificates, one would apparently have to manually put the root + intermediate CA bundle in place at the agent's localcacert location since only one of the CA certificates from the bundle is stored to the localcacert as part of the agent run. It would seem better instead for the full CA certificate bundle to be stored to the agent's localcacert location.

Steps to Reproduce

1) Install Puppet Server.

2) Copy the attached ca_crl.pem, ca_crt.pem, and ca_key.pem files to the /etc/puppetlabs/puppet/ssl/ca directory.

The “ca_crl.pem” and “ca_crt.pem” files contain CRL and CA PEMs for both the Root and Intermediate CAs, respectively. The “ca_key.pem” file contains the Intermediate CA’s private key.

3) Add the following lines to the /etc/puppetlabs/puppet/puppet.conf file in order to workaround the lack of support for processing multiple CRL files per the CA certificate chain - see PUP-3788:

[agent]

certificate_revocation = false

4) Run the following command:

puppet cert generate `facter fqdn`

5) Start Puppet Server

6) Do an agent run, targeting a unique ssl directory so that the CA cert and CRL which are downloaded will differ from those in the master ssl directory.

puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl

The agent run should exit with a line indicating that the certificate needs to be signed.

Exiting; no certificate found and waitforcert is disabled

7) Sign the myagent certificate request.

puppet cert sign myagent

8) Repeat the previous agent run:

puppet agent -t --certname myagent --server `facter fqdn` --ssldir /tmp/myagent-ssl

Expected:

Agent run is successful, with no warnings.

Actual:

An error message is displayed:

Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /C=US/ST=Oregon/O=Puppet/CN=intermediateca.example.org/emailAddress=intermediateca@example.org]

The agent downloads the CA certificate from Puppet Server by making a request to the .../puppet-ca/v1/certificate/ca endpoint on the server. Note that when making the request manually...

curl -k https://`facter fqdn`:8140/puppet-ca/v1/certificate/ca

... that the response payload contains 2 certificates - identical to the contents of the /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem file. Note, however, that the contents of the agent's localcacert file - /tmp/myagent-ssl/certs/ca.pem - only includes 1 certificate, the first one from the ca_crt.pem file.

After running the following command…

cp /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem /tmp/myagent-ssl/certs/ca.pem

… and then running the agent with the same command line as previously, the agent run is successful.