Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper created an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Issue Type: Improvement Assignee: Unassigned Created: 2020/07/20 2:35 PM Priority: Normal Reporter: Josh Cooper The https://github.com/puppetlabs/puppet-agent-bootstrap application was created to allow the agent to generate a CSR in a way that doesn't requires network access to the CA (since the CA requires the SSL client to provide a client certificate, which the agent doesn't have yet). The application uses Puppet::SSL::Host.localhost to accomplish this and it works in 5.5.x. However, the version in puppet#master does not due to: git bisect good de34cc03d570a7f06b117c1f1387c40cb6353377 is the first bad commit commit de34cc03d570a7f06b117c1f1387c40cb6353377 Author: Maggie Dreyer Date: Mon Aug 27 17:09:13 2018 -0700
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper commented on PUP-10589 Re: Provide the ability to generate a CSR without submitting to the CA Sorry my initial comment wasn't clear. I want to eliminate the need for puppet-agent-bootstrap. AFAIK everything in that module has been implemented in core puppet except for the ability to generate a CSR without connecting to a CA. If that use case is common, then I think we should add it to core puppet (something like puppet ssl generate_csr) and have the Opsworks integration use that. If the use case is specific to Opsworks, then I'm more inclined to patch up the puppet-agent-bootstrap module so that it works with puppet 6. Something like the following would suffice https://gist.github.com/joshcooper/cc3e19dfcf424234c8098ade74b3ff01 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.112218.1595297520028%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Shaigy Nixon commented on PUP-10589 Re: Provide the ability to generate a CSR without submitting to the CA opsworks has the associate-node/disassociate-node work flow as described in these tickets PE-21668 and PE-21669 where a csr is provided to get a certificate for the node. puppet-agent-bootstrap module is used to test that workflow and I can update the module with the code Josh Cooper provided and test it. I am not sure about the use case outside of the above requirement. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.112488.1595344320024%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Rob Braden updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Rob Braden Team: Coremunity Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.2250.1595871720195%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Rob Braden updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Rob Braden Sprint: Coremunity Hopper Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.2251.1595871780025%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Cody Herriges commented on PUP-10589 Re: Provide the ability to generate a CSR without submitting to the CA Honestly, I haven't been communicating with them either lately. I dropped one email to my old contact from the end of my days doing alliances just to ensure communication was happening and people were not depending on me to do a job I was no longer doing. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.3172.1595960220034%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper Sprint: Coremunity Hopper , Community PRs 2 Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.98508.1628028780636%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper assigned an issue to Josh Cooper Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper Assignee: Josh Cooper Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.111839.1629351780030%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper Labels: tbd Add Comment This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.3043.1639122240055%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper Labels: Easy tbd Add Comment This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.49653.1666235340031%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Nick GW commented on PUP-10589 Re: Provide the ability to generate a CSR without submitting to the CA Please implement this, it'd be super handy for working with external CAs Add Comment This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.11623.1683652140096%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper Team: Coremunity Phoenix Add Comment This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.366691.1595280947000.11622.1683652140033%40Atlassian.JIRA.
Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-10589
Provide the ability to generate a CSR without submitting to the CA
Change By:
Josh Cooper
The https://github.com/puppetlabs/puppet-agent-bootstrap application was created to allow the agent to generate a CSR in a way that doesn't requires network access to the CA (since the CA requires the SSL client to provide a client certificate, which the agent doesn't have yet).The application uses {{Puppet::SSL::Host.localhost}} to accomplish this and it works in 5.5.x. However, the version in puppet#master does not due to:{noformat}git bisect goodde34cc03d570a7f06b117c1f1387c40cb6353377 is the first bad commitcommit de34cc03d570a7f06b117c1f1387c40cb6353377Author: Maggie Dreyer Date: Mon Aug 27 17:09:13 2018 -0700(PUP-8912) Remove CertificateAuthority, fixup HostThis commit removes the CertificateAuthority class and begins cleaningup the consequences:* Remove CA logic from SSL::Host* Remove certificate_status indirection* Remove CA logic from ssl_file* Get Host unit tests passing{noformat}In particular, the `Host#ca_location=` method was removed which the bootstrap application used to set to `:none`, to prevent the Host from accessing the CA.We should add a {{puppet ssl generate_csr}} action to generate the private key and CSR, but not submit the CSR. Once that's done, puppet-agent-bootstrap could be deprecated and archived. *UPDATE*It would be fairly trivial to implement this. The {{puppet ssl}} application needs a new action to generate the CSR. It needs to implement this section of code to [load or generate the private key and generate the CSR|https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/lib/puppet/application/ssl.rb#L164-L176]. And then call {{puts csr.to_text}} to write the contents to stdout. Also needs a test in spec/unit/application/ssl_spec.rb
Add Comment
