Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7985

`puppet cert generate` uses the wrong CA certificate

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • QA Risk Assessment:
      Needs Assessment

      Description

      When `puppet cert generate` is invoked, it configures itself as a "local" CA. This configures the indirector for SSL files to use the CA locations, but cache files in the agent location. The intent of this is unclear but it looks like this is done in order to cache generated files in a location that the Puppet agent will read.

      This becomes a problem if the contents of `cacert` does not match the contents of `localcacert`. In an environment where intermediate CA certificates are in use, `cacert` needs to contain the intermediate CA certificate (since it contains information used during signing certificates) while `localcacert` needs to contain the root certificate (because the Puppet agent needs the root certificate in order to validate the server SSL certificate chain).

      If this case occurs, when Puppet configures itself to use the CA file terminii but uses the normal SSL file terminii as a cache. Because the cached files are consulted first Puppet will ignore the `cacert` location and read the `localcacert` file. Because Puppet is reading the `cakey` file for signing certificates but the `localcacert` for certificate information, validating the key against the certificate will fail.

      To add to the fun, when this circumstance appears Puppet is hardcoded to indicate that the agent private key and certificate don't match, and debugging this is effectively impossible without injecting pry invocations through the source code.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  adrien Adrien Thebo
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: