Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2019

ssl-util can only load pkcs #1 formated keys, not pkcs #8

          Details

          • Type: Bug
          • Status: Resolved
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: SERVER 6.6.0
          • Component/s: None
          • Environment:

            Puppet Enterprise 2017.3.1

          • CS Priority:
            Normal
          • CS Frequency:
            2 - 5-25% of Customers
          • CS Severity:
            3 - Serious
          • CS Business Value:
            4 - $$$$$
          • CS Impact:
            Hide
            The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great.

            The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
            Show
            The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great. The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
          • Release Notes:
            Bug Fix
          • Release Notes Summary:
            Puppet Server's CA can now handle keys in the PKCS#8 format, which is required when running in FIPS mode.
          • QA Risk Assessment:
            Needs Assessment

            Description

            Important caveats for reproduction:

            • Puppet server configured as intermediate CA to on-site root CA
            • Using this module: https://github.com/dnase/autosign
            • When piping a CSR into the script manually, everything works fine. Exit code 0
            • Also tested autosign script using puppetserver jruby (/opt/puppetlabs/server/bin/puppetserver ruby)
            • puppet.conf on the MoM is set with autosign = /etc/puppetlabs/puppet/autosign.rb
            • pe-puppet owns autosign.rb, permissions are 700

            Conditions:

            • No errors show in the logs
            • CSRs do not get autosigned
            • `puppet cert sign` works fine, but signing certificates through the console does not work.

              Attachments

                Issue Links

                relates to

                Epic - Created by JIRA Software - do not edit or delete. Issue type for a big user story that needs to be broken down. PUP-7877 Future Work for Intermediate CA Improvements

                • Critical - Crashes, loss of data, severe memory leak.
                • Closed

                  Activity

                    jsd-sla-details-panel

                      People

                      • Assignee:
                        justin Justin Stoller
                        Reporter:
                        drew.nase Andrew Nase
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        12 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved: