Problem uploading new CRL to Puppet Server with Intermediate CA

I'm testing this setup for one of my customers. He's in the health industry and regulations demand that he has to use his own Intermediate CA for PE. He didn't manage to get this running, that's why I tested it to be able to give the customer some help. That's why I discovered a problem with uploading new CRLs into Puppet Server.

For information on how I setup my Root and Intermediate CA and how I installed Puppet Enterprise 2019.8.8 running into this issue, please refer to https://blog.tom-krieger.de/2021/09/10/puppet-enterprise-with-intermediate-ca/

You find all steps I did there and you can also find the openssl.cnf files and a script to create the CAs. Puppet Enterprise runs well after these steps. I have my own intermediate CA in Puppet Enterprise. I double checked this by

root@okdsrv:~# openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/signed/okdsrv.home.tom-krieger.de.pem -text -noout

Certificate:

 Data:

 Version: 3 (0x2)

 Serial Number: 1 (0x1)

 Signature Algorithm: sha256WithRSAEncryption

 Issuer: C = DE, ST = Bavaria, O = <example corp>, OU = IT, CN = Intermediate CA, emailAddress = admin@example.com

 Validity

 Not Before: Sep 9 08:26:10 2021 GMT

 Not After : Sep 6 08:26:13 2036 GMT

 Subject: CN = okdsrv.home.tom-krieger.de

 Subject Public Key Info:

 Public Key Algorithm: rsaEncryption

 RSA Public-Key: (4096 bit)

Due to the docs it is important, to take care about the CRLs using an own intermediate CA. So I created a shell script and tried to upload a new CRL. And that's where my problems start. I can not upload a newly created CRL. It always results in an error 400 and it is unimportant if I use a a with openssl created CRL or an invalid one. Both result in the same message. I turned up Puppet Server logging to trace level and did not find a useful error message in the logs explaining me what went wrong and why my newly generated CRL is not accepted.

I tried to do the upload with curl, Postman and a self written Ruby client. All three have the new CRL in the body of the request. Postman and Ruby both result in an error 500 producing a stack trace in the puppet server logs with "[nil (named

key-crl-map)]" message.

Using curl always results in an error 400 or if I use data-binary option, in an error 500 with the above described stack trace.

I tried the following CRLs:

• new CRL for the Intermediate CA
• new CRL for the root CA
• combination of new CRL of intermediate CA and Root CA
• a CRL which contains a revoked server certificate

I also checked the /etc/puppetlabs/puppetserver/conf.d/auth.conf file if the path for CRL upload is set correctly. And as far as I can see, the settings are ok.

Why do I open this ticket:

1. The 400 error does not give any hint, why the CRL is considered invalid. That makes it very difficult for customers and me to deal with it.
2. The Puppet Server logs are currently not very helpful
3. I need some advice how to get the CRL upload running 

If you need further information please don't hesitate to contact me.

Outcomes

• Determine whether there is a bug here and, if so, fix it.
• Otherwise, determine what the user is doing wrong to get these errors.
   * Regardless of whether this is a bug or not, improve the error messaging for this endpoint.