Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2603

Puppetserver ca generate converts serial to decimal

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Froyo
    • Method Found:
      Customer Feedback
    • CS Priority:
      Needs Priority
    • Zendesk Ticket IDs:
      35760,36174,38912,44506
    • Zendesk Ticket Count:
      4
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      The Puppet Server CA CLI now correctly uses hex serial numbers for certs.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.x
      Puppet Server Version: 6.x
      OS Name/Version: EL 7

      Puppetserver cli 1.3.1 will convert the serial file from a hex number to an integer when running puppetserver ca generate --certname testing --ca-client. Unfortunately, this will cause duplicate serials to be used in new certificates. The issue we saw this with reverted 0x686B to 0x0678, so new certificates used already provisioned serials, some of which were revoked. Thousands of more would have been reused.

      This looks to be caused by converting the hex to an int here: https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L96 instead of to_i(16) and then when it is written at https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L262 instead of serial.to_s(16)

      Desired Behavior:

      Running puppetserver ca generate --certname testing --ca-client should increment the serial file.

      Actual Behavior:

      Running puppetserver ca generate --certname testing --ca-client converts the hex serial file into a decimal which can be lower than the hex value, causing it to reuse serial numbers on future certificate generation.

      Examples:

      [root@pe-201910-master ca]# cat serial 
      014B
      [root@pe-201910-master ca]# puppetserver ca generate --certname testing --ca-client
      Successfully saved certificate for testing to /etc/puppetlabs/puppet/ssl/certs/testing.pem
      Successfully saved certificate for testing to /etc/puppetlabs/puppet/ssl/ca/signed/testing.pem
      Successfully saved private key for testing to /etc/puppetlabs/puppet/ssl/private_keys/testing.pem
      Successfully saved public key for testing to /etc/puppetlabs/puppet/ssl/public_keys/testing.pem
      [root@pe-201910-master ca]# cat serial 
      15
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jarret.lavallee Jarret Lavallee
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support