[PUP-9638] Add an option to verify the CA bundle download against a fingerprint Created: 2019/04/10  Updated: 2019/07/19  Resolved: 2019/07/15

Status: Resolved
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 6.7.0

Type: Improvement Priority: Normal
Reporter: Josh Cooper Assignee: Josh Cooper
Resolution: Fixed Votes: 0
Labels: resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Epic Link: Simplify agent SSL initialization
Team: Coremunity
Sprint: Platform Core KANBAN
Release Notes: Enhancement
Release Notes Summary: If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using:

$ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
QA Risk Assessment: Needs Assessment


Historically puppet has downloaded the CA bundle using an unauthenticated connection (since we don't have CA bundle yet). This is insecure, but it's how puppet has worked since SSL support was originally added.

It should be possible for puppet to compare the downloaded CA bundle (/etc/puppetlabs/puppet/ssl/certs/ca.pem) against a SHA-256 fingerprint. If the fingerprint does not match, the agent should error, not save the bundle to disk and abort the run.

Comment by Jorie Tappa [ 2019/05/13 ]

We need to decide how exactly this will be implemented and what it affects, ie- format of fingerprint, checksum type, etc

Comment by Jorie Tappa [ 2019/06/28 ]

merged to master at cd8d2d03291320a840cd0cdd5c08df62585504e7

Comment by Josh Cooper [ 2019/07/15 ]

Passed CI in f29b9681e7

Comment by Jean Bond [ 2019/07/19 ]

Hey Josh Cooper, just to clarify, if I'm the user trying to get the SHA256 digest of the CA certificate, I run that openssl command on the master? And I assume the number in that is a SHA that is returned, not part of the command; so the command I run is:

$ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '


Comment by Josh Cooper [ 2019/07/19 ]

I run that openssl command on the master?

Yep on the master (or the CA if Puppet[:ca_server] is overridden). Maybe better to phrase it as whichever host the agent downloads the CA bundle from?

And I assume the number in that is a SHA that is returned

Yep exactly

Generated at Sat Aug 08 08:31:26 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.