Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9638

Add an option to verify the CA bundle download against a fingerprint

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.7.0
    • None
    • Enhancement
    • Hide
      If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using:

      $ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
      67aa4502b29c54f2b0984a322f06032103d75de29401d1b4416cb4f4f6dd8504
      Show
      If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using: $ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' ' 67aa4502b29c54f2b0984a322f06032103d75de29401d1b4416cb4f4f6dd8504
    • Needs Assessment

    Description

      Historically puppet has downloaded the CA bundle using an unauthenticated connection (since we don't have CA bundle yet). This is insecure, but it's how puppet has worked since SSL support was originally added.

      It should be possible for puppet to compare the downloaded CA bundle (/etc/puppetlabs/puppet/ssl/certs/ca.pem) against a SHA-256 fingerprint. If the fingerprint does not match, the agent should error, not save the bundle to disk and abort the run.

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. PUP-10639 renew cached Puppet CA on Puppet client

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Accepted

          Activity

            People

              josh Josh Cooper
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support