Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper commented on PUP-4005 Re: AIO agent corrupts CSR extensions Passed CI https://jenkins.puppetlabs.com/job/platform_aio-component_intn-sys_master/104/, no testing or review required. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Kylo Ginsberg Sprint: Client2015-02-18 ,Client2015-03-04 Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Kylo Ginsberg Scrum Team: PuppetServer ClientPlatform Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Kylo Ginsberg commented on PUP-4005 Re: AIO agent corrupts CSR extensions Per Josh the puppet-server build with this fix was promoted so this is now Ready for Merge. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Justin May commented on PUP-4005 Re: AIO agent corrupts CSR extensions This was actually fixed in SERVER-119 but Puppet server hasn't been updated to depend on the new version of the SSL utils library yet, so this test is expected to be failing until then. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper commented on PUP-4005 Re: AIO agent corrupts CSR extensions Moving this into needs information while puppetserver is updated with latest ssl utils library. Once that happens, we can reenable the acceptance test and call it a day. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Kylo Ginsberg Scrum Team: ClientPlatform PuppetServer Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper updated an issue Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Josh Cooper Labels: AIO Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Kylo Ginsberg commented on PUP-4005 Re: AIO agent corrupts CSR extensions Justin May please take a look at this also. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper assigned an issue to Justin May Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Josh Cooper Assignee: JustinMay Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper commented on PUP-4005 Re: AIO agent corrupts CSR extensions Most recently rhel7 acceptance on puppet#master passed and the generated file looks correct: syv0n4ohrysh6l1.delivery.puppetlabs.net (agent) 22:11:04$ cat /tmp/certificate_extensions.PyBLtY/trusted.yaml --- authenticated: remote certname: syv0n4ohrysh6l1.delivery.puppetlabs.net-extensions extensions: pp_uuid: b5e63090-5167-11e3-8f96-0800200c9a66 pp_instance_id: i-3fkva 1.3.6.1.4.1.34380.1.2.1: db-server 1.3.6.1.4.1.34380.1.2.2: webops In puppet#master, the master and agent rhel7 nodes are the same (x86_64), and it appears they are using slightly different ruby openssl versions that AIO. From the
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title William Hopper commented on PUP-4005 Re: AIO agent corrupts CSR extensions Earlier, Josh Cooper recommended that we revert PUP-3560 to address this issue in the AIO pipeline. As a test, I fired off the certificate_extension test with: bundle exec rake ci:test:aio SHA=8642ba76b6166b2bb788a9a6f7e62ee46db2234f TESTS=./tests/ssl/certificate_extensions.rb CONFIG=./config/nodes/rhel7.yaml OPTIONS=--preserve-hosts=always with the intention of manually reverting the commit on the agent in order to see if the correct CSR is generated. The SHA above is the latest puppet-agent build (as of Feb 13: http://builds.puppetlabs.lan/puppet-agent/?C=M;O=D). As we expected, the initial test failed due to the extra leading bytes in the CSR extensions: [root@wyy45yunberlo5m certificate_requests]# openssl req -in before_revert.pem -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=before_revert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper assigned an issue to William Hopper Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Josh Cooper Assignee: JoshCooper WilliamHopper Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title William Hopper commented on PUP-4005 Re: AIO agent corrupts CSR extensions Another update: I compiled and installed OpenSSL 1.0.0q (along with Ruby 2.1.5) on Ubuntu 14.04, and these were my results: 1) create csr_attributes.yaml file on the agent: --- extension_requests: pp_uuid: b5e63090-5167-11e3-8f96-0800200c9a66 pp_instance_id: i-3fkva 1.3.6.1.4.1.34380.1.2.1: db-server 1.3.6.1.4.1.34380.1.2.2: webops 2) Run puppet agent --test --waitforcert=0 --csr_attributes=./csr_attributes.yaml 3) Check the generated CSR in /var/lib/puppet/ssl/certificate_requests on the agent: openssl req -in fj0pm98ta9r1dct.delivery.puppetlabs.net.pem -noout -text
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title William Hopper commented on PUP-4005 Re: AIO agent corrupts CSR extensions While testing in Ubuntu 14.04 with Ruby 2.1.5 and openssl 1.0.1f, I found that the CSR looks to have values as we'd expect: Certificate Request: Data: Version: 0 (0x0) Subject: CN=s7s14v7bcwa9y5o.delivery.puppetlabs.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: ... Exponent: 65537 (0x10001)
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper assigned an issue to Josh Cooper Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Josh Cooper Assignee: JoshCooper Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title
William Hopper updated an issue
Puppet / PUP-4005
AIO agent corrupts CSR extensions
Change By:
William Hopper
Comment:
WhiletestinginUbuntu14.04withRuby2.1.5andopenssl1.0.1f,IfoundthattheCSRlookstohavevaluesaswe'dexpect:{noformat}CertificateRequest:Data:Version:0(0x0)Subject:CN=s7s14v7bcwa9y5o.delivery.puppetlabs.netSubjectPublicKeyInfo:PublicKeyAlgorithm:rsaEncryptionPublic-Key:(4096bit)Modulus:...Exponent:65537(0x10001)Attributes:RequestedExtensions:1.3.6.1.4.1.34380.1.1.1:b5e63090-5167-11e3-8f96-0800200c9a661.3.6.1.4.1.34380.1.1.2:i-3fkva1.3.6.1.4.1.34380.1.2.1:db-server1.3.6.1.4.1.34380.1.2.2:webops{noformat}Thedifferenceseemstobethatherewe'reusingOpenSSL1.0.1fratherthan1.0.0q,asJoshwasusingwhenhereproducedtheerror.Itcouldbethatthereisstillaproblemonourend,butthisversionofOpenSSLislessrestrictiveandallowedustogeneratethecorrectCSRanyway.
Add Comment
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
--
You received this message because you are subscribed to the Google Groups Puppet Bugs group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title William Hopper commented on PUP-4005 Re: AIO agent corrupts CSR extensions As Josh predicted, it looks like reverting the changes made in commit https://github.com/puppetlabs/puppet/commit/82b7a84bd017c77c95ab02a4e3547e228d7234e1 correct the error. I ran through this in both Ruby 1.9.3 and 2.1.5 and the result was the same. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title Josh Cooper updated an issue Puppet / PUP-4005 AIO agent corrupts CSR extensions Change By: Josh Cooper Summary: AIOagentcorrupts certificateattributes CSRextensions Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4005) AIO agent corrupts CSR extensions
Title: Message Title William Hopper commented on PUP-4005 Re: AIO agent corrupts CSR extensions As another test, I fired off a run of the certificate_extensions test against master and set preserve_hosts to true. The test completed successfully, and I then went to find what the generated CSRs looked like. In /tmp/certificate_extensions.RfjmeE/ssldir/certificate_requests, we have gajgyc6jwys4ere.delivery.puppetlabs.net-extensions.pem, which itself includes the extra bytes at the beginning of the extensions: Certificate Request: Data: Version: 0 (0x0) Subject: CN=gajgyc6jwys4ere.delivery.puppetlabs.net-extensions Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: ...
