[Pkg-puppet-devel] Bug#1032061: puppetserver setup ca results in incomplete cert chain
Bastian Blank
waldi at debian.org
Sat Mar 4 08:09:37 GMT 2023
On Fri, Mar 03, 2023 at 04:04:55PM -0500, Jérôme Charaoui wrote:
> I'm not able to reproduce this issue.
Okay, then _what_ do you see?
Easy check:
| # grep BEGIN /etc/puppet/puppetserver/ca/ca_crt.pem /etc/puppet/puppetserver/ca/signed/*
| /etc/puppet/puppetserver/ca/ca_crt.pem:-----BEGIN CERTIFICATE-----
| /etc/puppet/puppetserver/ca/ca_crt.pem:-----BEGIN CERTIFICATE-----
| /etc/puppet/puppetserver/ca/signed/debian-sid.home.arpa.pem:-----BEGIN CERTIFICATE-----
The CA file must only include one certificate, the trust root. The
entity file needs to contain two: the intermediate CA and the entity
cert.
And using openssl:
| # openssl s_client -connect localhost:8140 -CAfile /var/lib/puppet/ssl/certs/ca.pem -cert /var/lib/puppet/ssl/certs/debian-sid.home.arpa.pem -key /var/lib/puppet/ssl/private_keys/debian-sid.home.arpa.pem
| CONNECTED(00000003)
| Can't use SSL_get_servername
| depth=2 CN = Puppet Root CA: 74ab090112e6f0
| verify return:1
| depth=1 CN = Puppet CA: debian-sid.home.arpa
| verify return:1
| depth=0 CN = debian-sid.home.arpa
| verify return:1
| ---
| Certificate chain
| 0 s:CN = debian-sid.home.arpa
| i:CN = Puppet CA: debian-sid.home.arpa
| a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
| v:NotBefore: Mar 3 08:01:08 2023 GMT; NotAfter: Feb 28 08:01:12 2038 GMT
| ---
The certificate chain needs to contain two certificates, the entity one
and the intermediate CA, otherwise it's incomplete.
> This seems likely to be related to bug #1032060 where the certificate name
> of "debian-sid." (with a trailing dot) was found to be the cause of PKI
> issues in puppetserver.
This was worked around long ago, so no. And then the ca setup would
also be unreliable.
Bastian
--
All your people must learn before you can reach for the stars.
-- Kirk, "The Gamesters of Triskelion", stardate 3259.2
More information about the Pkg-puppet-devel
mailing list