[SERVER-1315] Support autosigning with a ca certificate bundle file Created: 2016/05/06 Updated: 2018/04/06 Resolved: 2017/08/30
|Fix Version/s:||SERVER 5.1.0|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||Improve Intermediate CA Support|
|Sprint:||Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22|
|Release Notes:||Bug Fix|
|QA Risk Assessment:||Automate|
Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.
While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:
I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.
|Comment by Ben Roberts [ 2017/01/31 ]|
Would like to see this implemented so that the intermediate CA scenarios described in the "External CA" document can be implemented using puppet's internal certificate signing and distribution mechanism. Ideally we'd like to be able to manually sign master certificates, and autosign agent certificates using different subordinates of our internal PKI.
|Comment by Moses Mendoza [ 2017/07/20 ]|
Reading the description of this ticket, it seems like the bug being discussed is explicitly surfaced when trying to use autosigning with a CA cert bundle. I've updated the ticket name to reflect that - please let me know if that's not accurate.
|Comment by Moses Mendoza [ 2017/08/08 ]|
Facility for extraction of ca cert from a chain with validation of the pubkey merged to jvm-ssl-utils/master, here: https://github.com/puppetlabs/jvm-ssl-utils/commit/3d63246bfd86f4afb745648a1d55af880c7907a1
|Comment by Moses Mendoza [ 2017/08/09 ]|
update to cert extraction to expect a key pair merged to jvm-ssl-utils/master https://github.com/puppetlabs/jvm-ssl-utils/commit/82c694bb738bdbae387f99020ff5674ff1920fd8
|Comment by Moses Mendoza [ 2017/08/22 ]|
merged to puppetserver/master at https://github.com/puppetlabs/puppetserver/commit/9167be99d3eb75c0688b038441bac90c73b02c0f