Issue #3143 has been updated by Nicholas Veeser. Affected version changed from 0.25.4 to 0.25.3
I will throw in my two cents, since I am up against the exact same problem. I am using a Cert chain that is part of an existing PKI solution. The issue as I have diagnosed it is related to CRL being found I have filed two bugs related to this: 1. All puppetmasterd will run in CA mode http://projects.reductivelabs.com/issues/3141 As such the server will respond to REST requests for a CRL, created one if necessary. 2. I cannot seem to find a way to tell the Client (Configurer/Agent) to stop looking for and using the CRL returned by its puppet master. http://projects.reductivelabs.com/issues/3168 *Detail* At some point, the Puppet::SSL::Host.ssl_store will initialize a OpenSSL::X509::Store with the certificate from Puppet[:localcert] Optionally it will find a CRL which is either cached locally or pulled from REST. If a CRL is found, it then enables "CRL checking" by flag in the SSL store for use during SSL verification process. I *think* (though I don't know openssl that well), that for each cert in the verification chain, there must exist a CRL (named by 'issuer') signed by that cert. *Summary* In the standard "Puppet is the CA" use case, the Cert chain is only one deep, so only one CRL (from the CA) is needed. If the cert chain is deeper, the CRL solution, as implemented breaks down, and Cert verification will always fail. *Sidenote* FWIW I also filed this request thing which shows the code I added to debug this. It should much more clearly what is happening in the X509 verification process which happens as part of SSL negotiation. ruby/OpenSSL does not seem to be very informative at this level. It may not be worth actually putting in the code, but it may help determine what is really going wrong. http://projects.reductivelabs.com/issues/3169 ---------------------------------------- Bug #3143: Puppet should correctly support CA trust chains http://projects.reductivelabs.com/issues/3143 Author: Justin Baugh Status: Investigating Priority: Normal Assigned to: Markus Roberts Category: SSL Target version: Affected version: 0.25.3 Keywords: Branch: It would be very, very useful for Puppet to use existing enterprise-deployed PKI systems, rather than relying somewhat on the creation of its own self-signed CA. Here is some background: For a few months, I have been using 0.24.8 in production. I used the techniques described in the wiki (multiple CA certificates) to override the local CA certificate, setting localcacert in puppet.conf to the PEM bundle. This required a slight hack to prevent Puppet from overwriting the file, but it worked and verified correctly. My PKI setup is fairly simple: I have a global root, which has a subordinate network CA, which has signed the Puppet CA (A->B->C). I have recently upgraded to 0.25.4 and this has broken entirely (see http://pastebin.ca/1776458 for a client debug; the server side never sees the request because it doesn't even get that far). I have tried both with a brand new client and an upgrade of an existing one - the errors are the same, failure to validate certificates. >From looking at cert_setup in network/http_pool.rb, Puppet will set the >ca_file and SSL store as appropriate, but neither of these are seemingly >sufficient to verify a trust chain. However, when I commented out usage of the >certificate store and CA file (http://pastebin.ca/1776467) and used ca_path >instead (set to an OpenSSL-hashed cert dir) containing A,B, and C's PEM files, >the verification succeeds, which confuses me greatly. I also tried directly modifying the certificate store passed to the http object to load my certificates directly into the store (via add_file) and this also does not verify. I notice that WEBrick deals with this issue by modifying the SSL context directly (extra_chain_cert). Is it possible for Puppet to do something similar? The property is not directly exposed from http.rb. When I have done testing with Puppet using WEBrick, modifying the appropriate WEBrick code to set the property to the appropriate trust chain (A and B) also works correctly, allowing the verification to succeed. I apologize in advance if if I am overlooking something or doing it wrong. In addition, I am happy to diagnose/debug/investigate this issue, if it is helpful, and write a patch for it if necessary, but my ruby/ruby openssl familiarity is minimal. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
