Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2518

Puppetserver CA changes String types in Host certs (printablestring -> utf8) resulting in invalid cert validation

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: SERVER 6.3.0
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Labels:
      None
    • Environment:

      centos7 puppetserver. latest upgrades

    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.4.0
      Puppet Server Version: 6.3.0
      OS Name/Version: CentOS7 & 6

      When running Puppet6 with an imported intermediate CA, the puppetserver will create host certs incorrectly by changing the ASN.1 string types in the host certs issuer field to "UTF8STRING" even though the Intermediate CA Cert CN has them as "PRINTABLESTRING".

      The local puppetserver host cert seems to be the exception. I assume that it's created with a different mechanism during bootstrapping.

      The different field types should not matter (according to the RFC Specs). However moznss (which curl is linked against on centos) as well as gnutls simply compare the issuer between CA and Host Cert bytewise and therefore complain about "Unknown issuer" / Invalid certificates even when given the correct CA Cert.

       

      Here's a mozilla bug report (3 years old) for the issue in moznss:

      https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1239313

      Desired Behavior:

      Even though nss/gnutls are the ones violating the specs here, puppetserver ca should preserve the correct field types from the intermediate CA when signing certificates for hosts!

      Other CA Tools (e.g.: xca) will do exactly that.

      Actual Behavior:

       

      Here some abbreviated samples (obtained using openssl asn1parse).

      Our intermediate CA CN:

       

      SEQUENCE
       SET
        SEQUENCE
         OBJECT :countryName
         PRINTABLESTRING :DE
       SET
        SEQUENCE
         OBJECT :stateOrProvinceName
         PRINTABLESTRING :Hessen

       

      The isser in the puppetserver cert:

      SEQUENCE
       SET
        SEQUENCE
         OBJECT :countryName
         PRINTABLESTRING :DE
       SET
        SEQUENCE
         OBJECT :stateOrProvinceName
         PRINTABLESTRING :Hessen

       

      The issuer in a host cert signed by the puppetserver CA:

      SEQUENCE
       SET
        SEQUENCE
         OBJECT :countryName
         PRINTABLESTRING :DE
       SET
        SEQUENCE
         OBJECT :stateOrProvinceName
         UTF8STRING :Hessen

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                fstelzer Fabian Stelzer
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: