Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9638

Add an option to verify the CA bundle download against a fingerprint

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.7.0
    • Component/s: None
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using:

      $ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
      67aa4502b29c54f2b0984a322f06032103d75de29401d1b4416cb4f4f6dd8504
      Show
      If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using: $ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' ' 67aa4502b29c54f2b0984a322f06032103d75de29401d1b4416cb4f4f6dd8504
    • QA Risk Assessment:
      Needs Assessment

      Description

      Historically puppet has downloaded the CA bundle using an unauthenticated connection (since we don't have CA bundle yet). This is insecure, but it's how puppet has worked since SSL support was originally added.

      It should be possible for puppet to compare the downloaded CA bundle (/etc/puppetlabs/puppet/ssl/certs/ca.pem) against a SHA-256 fingerprint. If the fingerprint does not match, the agent should error, not save the bundle to disk and abort the run.

        Attachments

          Activity

            People

            • Assignee:
              josh Josh Cooper
              Reporter:
              josh Josh Cooper
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support