Hi everyone,
We've been doing some work lately to harden the pluginsync functionality
for Puppet 3.x. An issue was brought to my attention by Jeff McCune:
In current versions of puppet, it's possible to configure things like your
vardir and libdir in any section of the config file; potentially,
So the set_default_paths has had some good success on quite a few
platforms, but not on all.
Good on:
* Redhat 5.6
* Debian 6 & 7
* SLES 11
* Solaris 10 (with CSW ruby)
Doesn't work on:
* DragonFly BSD 2.10
* OpenBSD 4.9
* Windows 2008
I think the general problem here is the lack of a default
Booyah ... and this now works on Debian:
require 'net/https'
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
proxy_class = Net::HTTP::Proxy(nil, nil)
proxy = proxy_class.new('forge.puppetlabs.com', 443)
proxy.use_ssl = true
proxy.verify_mode = OpenSSL::SSL::VERIFY_PEER
proxy
So this works on Debian Josh - with no need to specify exact path:
require 'openssl'
require 'net/protocol'
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
# Comment this out, it breaks
ctx.cert_sto
Well, I've done an OS survey and found the following paths need to be
set, and in some cases couldn't find a path at all:
Redhat 5.6:
ca_file = /etc/pki/tls/certs/ca-bundle.crt
Debian 6 & 7:
ca_path = /etc/ssl/certs
OpenBSD 4.9:
ca_file = /etc/ssl/cert.pem # doesn't contain GeoTrust, so doesn't
On Mon, Jun 25, 2012 at 9:54 AM, Josh Cooper wrote:
> On Mon, Jun 25, 2012 at 5:11 AM, Ken Barber wrote:
>>
>> (responding to puppet-dev)
>>
>> >>> I've managed to solve it on Linux by specifying:
>> >>> https_object.ca_path = '/etc/ssl/certs'
>> >
>> > You managed to work around your broken buil
On Mon, Jun 25, 2012 at 5:11 AM, Ken Barber wrote:
> (responding to puppet-dev)
>
> >>> I've managed to solve it on Linux by specifying:
> >>> https_object.ca_path = '/etc/ssl/certs'
> >
> > You managed to work around your broken build, I think.
>
> You mean Debian 6's broken build - Lol ... foun
On Mon, Jun 25, 2012 at 5:11 AM, Ken Barber wrote:
> (responding to puppet-dev)
>
I've managed to solve it on Linux by specifying:
https_object.ca_path = '/etc/ssl/certs'
>>
>> You managed to work around your broken build, I think.
>
> You mean Debian 6's broken build - Lol ... found thi
On Mon, Jun 25, 2012 at 5:23 AM, Ken Barber wrote:
> What is actually interesting about this topic is that the two common
> command line tools for web access uses different methodologies. Curl
> uses its own CA's, and wget uses the in-built OpenSSL list it seems.
Curl on OS X at least used to use
What is actually interesting about this topic is that the two common
command line tools for web access uses different methodologies. Curl
uses its own CA's, and wget uses the in-built OpenSSL list it seems.
I had a quick look at other Ruby tools to see what they do ... Octokit
turns off verify ...
(responding to puppet-dev)
>>> I've managed to solve it on Linux by specifying:
>>> https_object.ca_path = '/etc/ssl/certs'
>
> You managed to work around your broken build, I think.
You mean Debian 6's broken build - Lol ... found this using the system
ruby 1.8 from Debian, latest version :-).
11 matches
Mail list logo
