Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1728

All-together avoiding OpenSSL:X509 is not an acceptable solution in user-space as user code may need to use this library



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Duplicate
    • SERVER 2.y
    • None
    • Puppet Server
    • None
    • Needs Assessment


      As noted in several tickets, Puppet code has been refactored to avoid calls to JRuby's OpenSSL library when code is running in Puppet Server contex. This is due to several bugs associated with this implementation. Example of one of these tickets: https://tickets.puppetlabs.com/browse/PUP-3676

      Unfortunately, there are valid use cases for user code to need to access this functionality. In our case, we have a custom Puppet function which generates certificates as part of an automated SSL provisioning process. This code has run fine for us in Puppet 3, but as we are just now getting the chance to upgrade to Puppet 4, we need to figure out how to make this code work when running under Puppet Server.

      The bug we ran into was with Subject Alt-Name, referenced here: https://github.com/jruby/jruby-openssl/issues/102

      For us, having Puppet Server use this version of JRuby OpenSSL would solve our issue. But, the bigger issue is that the Puppet dev team seems to have decided that JRuby's OpenSSL is simply tainted and should be avoided all-together, so no attempts are made to improve it nor are any suitable alternatives provided when running under Puppet Server. This leaves users like us in a really bad place. Puppet Server forces JRuby on us and give us seemingly no recourse for patching this behavior.

      Moving to JRuby makes sense for Puppet Server, but you guys can't just pretend such a core JRuby lib doesn't exist, imho.

      There needs to be a way for users like us to work around this easily.

      Or, if there is already such an option, it should be documented specifically due to the nature of this particular lib and the way Puppet has chosen to handle it.


        Issue Links



              Unassigned Unassigned
              jmcclellan_dsc Jason McClellan
              0 Vote for this issue
              3 Start watching this issue



                Zendesk Support