Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2019

ssl-util can only load pkcs #1 formated keys, not pkcs #8

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.6.0
    • Component/s: None
    • Environment:

      Puppet Enterprise 2017.3.1

    • Template:
    • Team:
      Froyo
    • Method Found:
      Needs Assessment
    • CS Priority:
      Normal
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      4 - $$$$$
    • CS Impact:
      Hide
      The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great.

      The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
      Show
      The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great. The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
    • Zendesk Ticket IDs:
      33090
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet Server's CA can now handle keys in the PKCS#8 format, which is required when running in FIPS mode.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Important caveats for reproduction:

      • Puppet server configured as intermediate CA to on-site root CA
      • Using this module: https://github.com/dnase/autosign
      • When piping a CSR into the script manually, everything works fine. Exit code 0
      • Also tested autosign script using puppetserver jruby (/opt/puppetlabs/server/bin/puppetserver ruby)
      • puppet.conf on the MoM is set with autosign = /etc/puppetlabs/puppet/autosign.rb
      • pe-puppet owns autosign.rb, permissions are 700

      Conditions:

      • No errors show in the logs
      • CSRs do not get autosigned
      • `puppet cert sign` works fine, but signing certificates through the console does not work.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              drew.nase Andrew Nase
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support