[PUP-9638] Add an option to verify the CA bundle download against a fingerprint Created: 2019/04/10 Updated: 2019/07/19 Resolved: 2019/07/15
|Fix Version/s:||PUP 6.7.0|
|Reporter:||Josh Cooper||Assignee:||Josh Cooper|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||Simplify agent SSL initialization|
|Sprint:||Platform Core KANBAN|
|Release Notes Summary:|| If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using:
$ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
|QA Risk Assessment:||Needs Assessment|
Historically puppet has downloaded the CA bundle using an unauthenticated connection (since we don't have CA bundle yet). This is insecure, but it's how puppet has worked since SSL support was originally added.
It should be possible for puppet to compare the downloaded CA bundle (/etc/puppetlabs/puppet/ssl/certs/ca.pem) against a SHA-256 fingerprint. If the fingerprint does not match, the agent should error, not save the bundle to disk and abort the run.
|Comment by Jorie Tappa [ 2019/05/13 ]|
We need to decide how exactly this will be implemented and what it affects, ie- format of fingerprint, checksum type, etc
|Comment by Jorie Tappa [ 2019/06/28 ]|
merged to master at cd8d2d03291320a840cd0cdd5c08df62585504e7
|Comment by Josh Cooper [ 2019/07/15 ]|
Passed CI in f29b9681e7
|Comment by Jean Bond [ 2019/07/19 ]|
Hey Josh Cooper, just to clarify, if I'm the user trying to get the SHA256 digest of the CA certificate, I run that openssl command on the master? And I assume the number in that is a SHA that is returned, not part of the command; so the command I run is:
|Comment by Josh Cooper [ 2019/07/19 ]|
Yep on the master (or the CA if Puppet[:ca_server] is overridden). Maybe better to phrase it as whichever host the agent downloads the CA bundle from?