Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
SERVER 6.5.0
-
Froyo
-
Customer Feedback
-
Needs Priority
-
35760,36174,38912,44506
-
4
-
Bug Fix
-
The Puppet Server CA CLI now correctly uses hex serial numbers for certs.
-
Needs Assessment
Description
Puppet Version: 6.x
Puppet Server Version: 6.x
OS Name/Version: EL 7
Puppetserver cli 1.3.1 will convert the serial file from a hex number to an integer when running puppetserver ca generate --certname testing --ca-client. Unfortunately, this will cause duplicate serials to be used in new certificates. The issue we saw this with reverted 0x686B to 0x0678, so new certificates used already provisioned serials, some of which were revoked. Thousands of more would have been reused.
This looks to be caused by converting the hex to an int here: https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L96 instead of to_i(16) and then when it is written at https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L262 instead of serial.to_s(16)
Desired Behavior:
Running puppetserver ca generate --certname testing --ca-client should increment the serial file.
Actual Behavior:
Running puppetserver ca generate --certname testing --ca-client converts the hex serial file into a decimal which can be lower than the hex value, causing it to reuse serial numbers on future certificate generation.
Examples:
[root@pe-201910-master ca]# cat serial
|
014B
|
[root@pe-201910-master ca]# puppetserver ca generate --certname testing --ca-client
|
Successfully saved certificate for testing to /etc/puppetlabs/puppet/ssl/certs/testing.pem
|
Successfully saved certificate for testing to /etc/puppetlabs/puppet/ssl/ca/signed/testing.pem
|
Successfully saved private key for testing to /etc/puppetlabs/puppet/ssl/private_keys/testing.pem
|
Successfully saved public key for testing to /etc/puppetlabs/puppet/ssl/public_keys/testing.pem
|
[root@pe-201910-master ca]# cat serial
|
15
|