[Pkg-puppet-devel] Bug#1032061: puppetserver setup ca results in incomplete cert chain
Bastian Blank
waldi at debian.org
Mon Feb 27 08:53:47 GMT 2023
Package: puppetserver
Version: 7.9.5-1
Severity: important
A new setup by "puppetserver setup ca" results in a incomplete
certificate chain to be served by puppetserver.
| # openssl s_client -connect localhost:8140 -CAfile /var/lib/puppet/ssl/certs/ca.pem -cert /var/lib/puppet/ssl/certs/deb
| ian-sid..pem -key /var/lib/puppet/ssl/private_keys/debian-sid..pem
| CONNECTED(00000003)
| Can't use SSL_get_servername
| depth=2 CN = Puppet Root CA: 327ca764109ce8
| verify return:1
| depth=1 CN = Puppet CA: debian-sid.
| verify return:1
| depth=0 CN = debian-sid.
| verify return:1
| ---
| Certificate chain
| 0 s:CN = debian-sid.
| i:CN = Puppet CA: debian-sid.
| a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
| v:NotBefore: Feb 26 08:40:57 2023 GMT; NotAfter: Feb 23 08:41:02 2038 GMT
| ---
The certifiate chain is:
- Server
- Puppet CA
- Puppet Root Ca
So a server must provide in it's TLS setup:
- Server
- Puppet CA
Only the root CA is left out as trust anchor.
However in this Puppet setup, the server only provides the server
certificate, not the intermediate.
Regards,
Bastian
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
More information about the Pkg-puppet-devel
mailing list