Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6918

SSL - Improve CSR to local public key mismatch handling

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.8.0
    • Fix Version/s: PUP 4.9.0
    • Component/s: None
    • Labels:
    • Template:
    • Acceptance Criteria:
      • Tests exist to simulate the mismatch
    • Release Notes:
      New Feature
    • Release Notes Summary:
      The Puppet agent will now emit a warning if it had previously submitted a CSR to a master, does not have a signed CSR, and the local CSR does not match what was previously submitted to the master.

      Description

      Assume the following sequence of events:

      • Agent has generated public / private key pair and a CSR
      • Agent has sent a CSR to the master (by way of a `puppet agent` run)
      • Master has not yet signed the CSR

      Note that the agents CSR includes the agents public key. Now perform the following:

      • Delete the agents entire SSL directory - including the public / private key pair, CA and CSR
      • Re-run `puppet agent -t`

      The agent will regenerate all the SSL files.

      However, instead of using the new CSR that has been created locally (that matches the newly generated public / private key pair), the agent will download the previously submitted CSR from the master. Despite there being no way of using the previously submitted CSR since the local agent no longer has a matching public key, Puppet will proceed without an error describing the circumstances.

      The agent should perform a comparison of the local public key to the downloaded CSR to ensure they are a match. When they are not a match, an error should be presented to the user advising them that their master has a mismatched CSR that must be cleaned.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  qa qa
                  Reporter:
                  ethan Ethan Brown
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support