[PUP-10104] puppet device fails when using csr_attributes.yaml Created: 2019/10/15  Updated: 2019/11/21  Resolved: 2019/11/12

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 6.11.0

Type: Bug Priority: Normal
Reporter: Jonas Verhofsté Assignee: Jonas Verhofsté
Resolution: Fixed Votes: 0
Labels: beginner, resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template: PUP Bug Template
Acceptance Criteria:

Create a csr_attributes.yaml file as described in https://puppet.com/docs/puppet/latest/config_file_csr_attributes.html. Run puppet agent, puppet ssl and puppet device and verify the submitted CSR on the CA contains the attributes. For example:

$ cat attributes.yaml
  1.2.840.113549.1.9.7: 342thbjkt82094y0uthhor289jnqthpc2290
  pp_uuid: ED803750-E3C7-44F5-BB08-41A04433FE2E
  pp_image_name: my_ami_image
  pp_preshared_key: 342thbjkt82094y0uthhor289jnqthpc2290
$ bundle exec puppet agent -t --certname test1 --csr_attributes attributes.yaml
Info: Creating a new SSL key for test1
Info: csr_attributes file loading from /Users/josh/work/puppet/attributes.yaml
Info: Creating a new SSL certificate request for test1
Info: Certificate Request fingerprint (SHA256): F3:1F:70:8C:96:14:D6:92:33:39:62:3B:76:4E:72:39:8D:6E:D7:5E:72:73:FE:A5:6C:17:5D:CE:01:0F:78:04
Info: Certificate for test1 has not been signed yet
$ openssl req -in ~/.puppetlabs/etc/puppet/ssl/certificate_requests/test1.pem -noout -text
            challengePassword        :342thbjkt82094y0uthhor289jnqthpc2290
        Requested Extensions:

Team: Coremunity
Sprint: Platform Core KANBAN
Method Found: Needs Assessment
Release Notes: Bug Fix
Release Notes Summary: The `csr_attributes.yaml` file can now be specified when requesting a certificate signing request for a device using "puppet device --target devicename"
QA Risk Assessment: Needs Assessment


Whilst trying to use trusted facts for my puppet device, I noticed the `puppet device --target devicename` fail with the error "OBJ_txt2obj: first num too large". However, manually requesting the cert with `puppet ssl` does work and behaves as expected. Guessing it's related to PUP-9746, or at least a similar issue.

Desired Behavior: First `puppet device` run should request a cert with correct extension requests

Actual Behavior: First `puppet device` run fails with "Cannot create CSR with extension request extension_name: OBJ_txt2obj: first num too large"

Comment by Josh Cooper [ 2019/10/15 ]

Looks like puppet device has the same problem as puppet ssl did. Really the OID registration should occur in the SSLProvider so that individual applications don't need to.

Comment by Josh Cooper [ 2019/10/15 ]

$ git --no-pager grep Puppet::SSL::Oids.register_puppet_oids
lib/puppet/application/agent.rb:    Puppet::SSL::Oids.register_puppet_oids
lib/puppet/application/ssl.rb:    Puppet::SSL::Oids.register_puppet_oids
lib/puppet/test/test_helper.rb:      Puppet::SSL::Oids.register_puppet_oids

Comment by Jonas Verhofsté [ 2019/11/08 ]

And now there's https://github.com/puppetlabs/puppet/pull/7816, pretty trivial change I guess.

Comment by Josh Cooper [ 2019/11/08 ]

Merged to https://github.com/puppetlabs/puppet/commit/5154f39aba6d2ff359bb2ef3e0349ce59d7c26cf

Comment by Melissa Stone [ 2019/11/12 ]

This has passed CI as a part of puppet-agent

Comment by Jonas Verhofsté [ 2019/11/21 ]

Just tested it out, works like a charm!

Generated at Mon Jan 27 11:22:04 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.