Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Maggie Dreyer commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs This is fixed in Puppet 6 by the above ticket, PUP-8652. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Owen Rodabaugh CS Priority: Needs Priority Major CS Impact: By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert. CS Severity: 3 - Serious CS Business Value: 5 - $$ CS Frequency: 2 - 5-25% of Customers Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Owen Rodabaugh CS Priority: Reviewed Needs Priority Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Owen Rodabaugh CS Priority: Needs Priority Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Moses Mendoza Sprint: Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22 , Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza assigned an issue to Unassigned Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Moses Mendoza Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs Per discussion on team it was determined that the total effort to support chained CRLs through the system exceeds our short term capacity. Decision was that PUP-7845 (leaf CRL checking) moves us closer to the goal and is sufficient for short term requirements, so that is what we are proceeding with. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Sprint: Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22 , Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Sprint: Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs Adrien Thebo that seems reasonable. Also at this point its probably worth it to just bypass the indirector altogether, as you suggest. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Adrien Thebo commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs The assumption that Puppet will have a single CRL is wired deeply into the code and unwinding this assumption may require a number of nontrivial and potentially dangerous changes. First off, Puppet::SSL::CertificateRevocationList itself is hardcoded for a single CRL, and it hardcodes a number of things like the CRL name. For example: # Convert a string into an instance. def self.from_s(string) super(string, 'foo') # The name doesn't matter end # ... # The name doesn't actually matter; there's only one CRL. # We just need the name so our Indirector stuff all works more easily. def initialize(fakename)
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Adrien Thebo assigned an issue to Adrien Thebo Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Adrien Thebo Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Sprint: Server 2017-07-25, Platform Core 2017-08-08 , Platform Core 2017-08-22 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title John Duarte updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: John Duarte QA Risk Assessment: Automate Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer assigned an issue to Unassigned Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Assignee: Moses Mendoza Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Sprint: Server 2017-07-25 , Platform Core 2017-08-08 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Moses Mendoza Sprint: Server 2017- 08 07 - 08 25 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza assigned an issue to Moses Mendoza Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Moses Mendoza Assignee: Moses Mendoza Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Karen Van der Veer assigned an issue to Unassigned Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Karen Van der Veer Assignee: Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Moses Mendoza Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Sean McDonald updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Sean McDonald Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Jeremy Barlow Sub-team: Server Team: Systems Engineering Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Eric Sorenson assigned an issue to Eric Sorenson Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Eric Sorenson Assignee: Kylo Ginsberg Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Eric Sorenson commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs Note to those affected by the bug: there is a workaround available by setting certificate_revocation=false in your puppet.conf or --no-certificate_revocation on the command line; this would, as earlier commenters note, introduce a slight decrease in operational security because the agent will continue to connect to a master whose cert has been revoked. However, also up-thread, the practical decrease in security is minimal due to PUP-2310. We are working on full chained-CA support and fixing this for-real will be part of that effort. (As a side note, it seems weird that while the underlying OpenSSL library's CRL loading code does not support chained CAs, the CRL verification requires it if there is a chain-of-trust in the CA certificate.) Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Graham Leggett commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs This bug just affected us, any timeline for a fix? Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Josh Cooper commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs Andreas Paul my bad, I was conflating openssl and puppet's behavior. It's possible for puppet agents to accept multiple CA certificates, because we [add {{/path/to/ca_crt.pem}} to the X509 store](https://github.com/puppetlabs/puppet/blob/master/lib/puppet/ssl/host.rb#L261), and that method accepts [multiple CA certs in the same file](https://github.com/ruby/ruby/blob/v2_1_7/ext/openssl/ossl_x509store.c#L207-L217). However, the same isn't true for CRLs. Puppet loads the CRL through the indirector, and we [add the in-memory CRL to the X509 store](https://github.com/puppetlabs/puppet/blob/master/lib/puppet/ssl/host.rb#L267). Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Andreas Paul commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs I started digging through the Puppet agent CRL code, trying to find the point where the agent loads the CRL file and only found this function: https://github.com/puppetlabs/puppet/blob/master/lib/puppet/ssl/certificate_revocation_list.rb#L17 Is this the function that I was looking for or is there something else using OpenSSL::X509::CRL to create a CRL from the disk file? If it is the correct function then I don't know how the loading of multiple CRLs from one file did ever work in Puppet, because OpenSSL::X509::CRL.new(crl_bundle_string) only returns the first CRL just like the openssl binary: $ curl -s -o crl_bundle.pem https://tickets.puppetlabs.com/secure/attachment/17918/crl_bundle.pem irb irb(main):001:0 require 'openssl' = true irb(main):002:0 crl_bundle_string = File.open('./crl_bundle.pem').read() = -BEGIN X509 CRL-\nMIIB2jCBwzANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJVUzEPMA0GA1UECBMG\nT3JlZ29uMRQwEgYDVQQKEwtQdXBwZXQgTGFiczEUMBIGA1UECxMLRW5naW5lZXJp\nbmcxMTAvBgNVBAMUKHN6eGtqb3c0YWU0YTR6dC5kZWxpdmVyeS5wdXBwZXRsYWJz\nLm5ldAoXDTE1MDEyNzIwNTk1MVoXDTE2MDEyNzIwNTk1MVowFTATAgIQBRcNMTUw\nMTI3MjA1OTUxWjANBgkqhkiG9w0BAQUFAAOCAQEAFs4G+3TsRN6ju5BrkUQJook8\nsLpCi237WU5vQZjVElEmRbDHtT7QgriCj2ftNB8z7R0RgPqdI9FSwJUrYIwuU/uO\nSW7FRPbBZQc+jzLBLyB/29ybKpgvyI84YGiberNSEQResU14oMIySZrQm+3nxm7t\noQf0l7STgbpsVUKRtyC/OsAfYoUhJW1HDvqQTsmda+fu5zVdalrGsmH4ufZGYPav\nLloontjU3QFnPSFwUSRccK/oBhX3e6SKaHKMetvAtyFhsDI03rNLmJFG6QiA2B5+\nKNk7RIPVqyAW5BM9xNGExfcAsG09J5DSgER3diJI5qaehzvgHl2mt2emCVsGIQ==\n-END X509 CRL-\n-BEGIN X509
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Andreas Paul commented on PUP-3788 Re: Puppet Agent does not support Chained CRLs I'm a bit surprised this doesn't just work. Puppet just hands off the file to openssl, and I thought openssl could handle a multi-crl pem file. Josh Cooper If that is indeed how the Puppet agent tries to validate a CRL file, then there is your root cause. openssl can not handle multiple CRLs in one file. $ curl -s https://tickets.puppetlabs.com/secure/attachment/17918/crl_bundle.pem | openssl crl -noout -text | grep Issuer Issuer: /C=US/ST=Oregon/O=Puppet Labs/OU=Engineering/CN=szxkjow4ae4a4zt.delivery.puppetlabs.net\x0A Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at
Jira (PUP-3788) Puppet Agent does not support Chained CRLs
Title: Message Title Jeremy Barlow updated an issue Puppet / PUP-3788 Puppet Agent does not support Chained CRLs Change By: Jeremy Barlow Security: Internal Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.