[SERVER-1315] Support autosigning with a ca certificate bundle file Created: 2016/05/06  Updated: 2018/04/06  Resolved: 2017/08/30

Status: Closed
Project: Puppet Server
Component/s: None
Affects Version/s: None
Fix Version/s: SERVER 5.1.0

Type: Bug Priority: Normal
Reporter: Eric Sorenson Assignee: Unassigned
Resolution: Fixed Votes: 2
Labels: Server
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to SERVER-1545 Certificate issued from Intermediate ... Resolved
relates to PCP-530 clj-pcp-client cannot be used with ch... Closed
relates to PUP-6697 Allow full downloaded CA bundle to be... Closed
relates to SERVER-1317 HTTP CA Tests Closed
Epic Link: Improve Intermediate CA Support
Team: Server
Story Points: 3
Sprint: Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
Release Notes: Bug Fix
QA Risk Assessment: Automate


Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.

While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:

Error: Could not request certificate: Error 500 on SERVER: Internal Server Error: 
java.lang.IllegalArgumentException: The PEM stream must contain exactly 1 certificate

I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.

Comment by Ben Roberts [ 2017/01/31 ]

Would like to see this implemented so that the intermediate CA scenarios described in the "External CA" document can be implemented using puppet's internal certificate signing and distribution mechanism. Ideally we'd like to be able to manually sign master certificates, and autosign agent certificates using different subordinates of our internal PKI.

Comment by Moses Mendoza [ 2017/07/20 ]

Reading the description of this ticket, it seems like the bug being discussed is explicitly surfaced when trying to use autosigning with a CA cert bundle. I've updated the ticket name to reflect that - please let me know if that's not accurate.

Comment by Moses Mendoza [ 2017/08/08 ]

Facility for extraction of ca cert from a chain with validation of the pubkey merged to jvm-ssl-utils/master, here: https://github.com/puppetlabs/jvm-ssl-utils/commit/3d63246bfd86f4afb745648a1d55af880c7907a1

Comment by Moses Mendoza [ 2017/08/09 ]

update to cert extraction to expect a key pair merged to jvm-ssl-utils/master https://github.com/puppetlabs/jvm-ssl-utils/commit/82c694bb738bdbae387f99020ff5674ff1920fd8

Comment by Moses Mendoza [ 2017/08/22 ]

merged to puppetserver/master at https://github.com/puppetlabs/puppetserver/commit/9167be99d3eb75c0688b038441bac90c73b02c0f

Generated at Thu Jun 27 00:05:57 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.