Affects Version/s: SERVER 6.7.0
Component/s: Puppet Server
Short description of my environment, for more information please refer to the Blog Post I put into the description above. If contains my openssl.cnf files and a script to setup the Root and Intermediate CA. It also creates the files needed for the Puppet installer.
CAs running on CentOS 7, fully patched
Puppet Enterprise running on Ubuntu 18.04Short description of my environment, for more information please refer to the Blog Post I put into the description above. If contains my openssl.cnf files and a script to setup the Root and Intermediate CA. It also creates the files needed for the Puppet installer. CAs running on CentOS 7, fully patched Puppet Enterprise running on Ubuntu 18.04
Template:SCaR Bug Template - Puppet Enterprise Platform customfield_10700 415386
- An upload of a newly created CRL is possible
- Log messages in PE server log are more useful and give more insights, why a CRL is considered invalid.
Sprint:Froyo - 10/20/2021, Froyo - 11/3/2021, Froyo - 11/17/2021
Release Notes:Bug Fix
Release Notes Summary:The CRL update endpoint will now issue a meaningful error message when a CRL without an authority key identifier is sent in the request body.
QA Risk Assessment:Needs Assessment
I'm testing this setup for one of my customers. He's in the health industry and regulations demand that he has to use his own Intermediate CA for PE. He didn't manage to get this running, that's why I tested it to be able to give the customer some help. That's why I discovered a problem with uploading new CRLs into Puppet Server.
For information on how I setup my Root and Intermediate CA and how I installed Puppet Enterprise 2019.8.8 running into this issue, please refer to https://blog.tom-krieger.de/2021/09/10/puppet-enterprise-with-intermediate-ca/
You find all steps I did there and you can also find the openssl.cnf files and a script to create the CAs. Puppet Enterprise runs well after these steps. I have my own intermediate CA in Puppet Enterprise. I double checked this by
Due to the docs it is important, to take care about the CRLs using an own intermediate CA. So I created a shell script and tried to upload a new CRL. And that's where my problems start. I can not upload a newly created CRL. It always results in an error 400 and it is unimportant if I use a a with openssl created CRL or an invalid one. Both result in the same message. I turned up Puppet Server logging to trace level and did not find a useful error message in the logs explaining me what went wrong and why my newly generated CRL is not accepted.
I tried to do the upload with curl, Postman and a self written Ruby client. All three have the new CRL in the body of the request. Postman and Ruby both result in an error 500 producing a stack trace in the puppet server logs with "[nil (named
Using curl always results in an error 400 or if I use data-binary option, in an error 500 with the above described stack trace.
I tried the following CRLs:
- new CRL for the Intermediate CA
- new CRL for the root CA
- combination of new CRL of intermediate CA and Root CA
- a CRL which contains a revoked server certificate
I also checked the /etc/puppetlabs/puppetserver/conf.d/auth.conf file if the path for CRL upload is set correctly. And as far as I can see, the settings are ok.
Why do I open this ticket:
- The 400 error does not give any hint, why the CRL is considered invalid. That makes it very difficult for customers and me to deal with it.
- The Puppet Server logs are currently not very helpful
- I need some advice how to get the CRL upload running
If you need further information please don't hesitate to contact me.
- Determine whether there is a bug here and, if so, fix it.
- Otherwise, determine what the user is doing wrong to get these errors.
* Regardless of whether this is a bug or not, improve the error messaging for this endpoint.