Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2197

Puppetserver needs to serve the CA bundle from the CA cert endpoint

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      When Puppetserver is set up to use a cert bundle, that whole bundle should served via the CA cert endpoint

      Show
      When Puppetserver is set up to use a cert bundle, that whole bundle should served via the CA cert endpoint
    • Team:
      Froyo
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      This ended up being docs changes on its own.
    • QA Risk Assessment:
      Needs Assessment

      Description

      According to the current instructions on how to set up an intermediate CA, the cert bundle should be stored at /etc/puppetlabs/puppet/ssl/certs/ca.pem, but in the CA cert location at /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem, should contain only the intermediate cert, not the whole bundle. This is a problem, because the server's CA cert endpoint serves from the latter, meaning it only serves up the intermediate CA cert to the agent, not the whole bundle. We should investigate the best way to make sure that the bundle gets served to the agent. It may be possible already to put the bundle in ca_crt.pem, thanks to some updates to our SSL code since those docs were written. If that's the case, we should update the docs, and write our CI tool to use the new locations.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support