Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7737

Add HTTP report processor setting for including system truststore

    XMLWordPrintable

Details

    • Task
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.15.0
    • None
    • Hide

      Add a report_include_system_store puppet setting to include the system CA store when posting the report to an HTTPS URL. It should default to false.

      If enabled, update the http report processor to pass include_system_store: true in the call to Client#post. Update the `spec/integration/application/apply_spec.rb` to verify this works when the HTTPS server is not the puppet CA, but is in the system store.

      For this ticket, it will only affect when the http report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.

      Show
      Add a report_include_system_store puppet setting to include the system CA store when posting the report to an HTTPS URL. It should default to false. If enabled, update the http report processor to pass include_system_store: true in the call to Client#post . Update the `spec/integration/application/apply_spec.rb` to verify this works when the HTTPS server is not the puppet CA, but is in the system store. For this ticket, it will only affect when the http report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.
    • Coremunity
    • Platform Core KANBAN
    • Enhancement
    • Hide
      The "http" report processor forwards puppet reports to the report server based on the Puppet[:reporturl] setting. If an HTTPS URL is specified, then up until now, the processor would only trust the puppet CA when verifying the server's SSL certificate. This change adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor will trust CA certificates in the puppet-agent CA bundle in addition to the puppet CA. This change only affects the "http" processor when running in the context of "puppet apply". A separate change will be made in puppetserver, so that the "http" processor behaves the same as "puppet apply".
      Show
      The "http" report processor forwards puppet reports to the report server based on the Puppet[:reporturl] setting. If an HTTPS URL is specified, then up until now, the processor would only trust the puppet CA when verifying the server's SSL certificate. This change adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor will trust CA certificates in the puppet-agent CA bundle in addition to the puppet CA. This change only affects the "http" processor when running in the context of "puppet apply". A separate change will be made in puppetserver, so that the "http" processor behaves the same as "puppet apply".
    • Needs Assessment

    Description

      This ticket is dependent upon the work being discussed in SERVER-1543 and PUP-5069 to enhance Puppet::Network::HttpPool with configurable support for setting whether or not the "system" truststore should be included for HTTP client requests. For this ticket, we would introduce a new Puppet setting that the HTTP report processor would use to control how the corresponding HttpPool setting is configured.

      We'll need to decide what the default for the setting would be. As chuck argued in this comment in SERVER-1543, it may make set to set this to "true" by default to make it easier for users to use the HTTP report processor with an externally hosted receiver which is using a cert issued outside of Puppet's PKI, e.g., on a public AWS instance. Defaulting to "true" may constitute a security risk for users accustomed to only having the Puppet PKI cert bundle used.

      Attachments

        Issue Links

          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. SERVER-1543 com.puppetlabs.http.client should allow adding certificates to supplement Puppet CA

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. PUP-10316 Update http report processor to use http client

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-7814 HTTPS file sources with non-puppet-trusted certs can't be used

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Activity

            People

              josh Josh Cooper
              jeremy.barlow Jeremy Barlow
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support