Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2019

ssl-util can only load pkcs #1 formated keys, not pkcs #8

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.6.0
    • Component/s: None
    • Environment:

      Puppet Enterprise 2017.3.1

    • CS Priority:
      Normal
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      4 - $$$$$
    • CS Impact:
      Hide
      The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great.

      The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
      Show
      The intermediate CA setup is difficult from the start, and then to run into autosigning not working, not great. The large users who want intermediate CAs are also quite likely to want autosigning. Many of them will have some sort of automated provisioning which need this functionality.
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet Server's CA can now handle keys in the PKCS#8 format, which is required when running in FIPS mode.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Important caveats for reproduction:

      • Puppet server configured as intermediate CA to on-site root CA
      • Using this module: https://github.com/dnase/autosign
      • When piping a CSR into the script manually, everything works fine. Exit code 0
      • Also tested autosign script using puppetserver jruby (/opt/puppetlabs/server/bin/puppetserver ruby)
      • puppet.conf on the MoM is set with autosign = /etc/puppetlabs/puppet/autosign.rb
      • pe-puppet owns autosign.rb, permissions are 700

      Conditions:

      • No errors show in the logs
      • CSRs do not get autosigned
      • `puppet cert sign` works fine, but signing certificates through the console does not work.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  justin Justin Stoller
                  Reporter:
                  drew.nase Andrew Nase
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  12 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: