Jira (PUP-9958) Cannot add custom CA certs for internal resources without replacing bundled CA

0 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Aug 12, 2019, 4:26:02 PM8/12/19
to puppe...@googlegroups.com
Josh Cooper moved an issue
 
Puppet / Bug PUP-9958
Cannot add custom CA certs for internal resources without replacing bundled CA
Change By: Josh Cooper
Affects Version/s: puppet-agent 5.3.5
Key: PA PUP - 2335 9958
Project: Puppet Agent
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (Jira)

unread,
Mar 13, 2020, 1:02:03 PM3/13/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Epic Link: PUP-9910
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Mar 13, 2020, 1:10:03 PM3/13/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9958
 
Re: Cannot add custom CA certs for internal resources without replacing bundled CA

Being able to place the file under /etc/puppetlabs/ssl/cert.pem to be used only if enabled via configuration would avoid the need to guard against it being replaced by a puppet-agent package upgrade in the future.

I've been thinking of something similar, see my comments in https://tickets.puppetlabs.com/browse/PUP-7814?focusedCommentId=675689&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-675689. Basically allow puppet to be configured to trust additional CA cert(s) given a file or directory of certs. When puppet makes connections to non-puppet infrastructure, such as source => "https://artifactory.example.com/...", then puppet would trust the puppet CA, the CA certs contained in the puppet-agent package, and optionally, the cert(s) that the setting referenced. This way people would not need to muck with the ca-bundle in puppet-agent (as those changes are lost when puppet-agent updates). It also means you could point puppet to the CA bundle that is already on your system, like {{ /etc/pki/ca-trust/source/anchors}}.

Josh Cooper (Jira)

unread,
May 20, 2020, 1:51:04 AM5/20/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9958

Darragh Bailey if we implement PUP-7814, then it will be possible to configure puppet to load CA certs from either a platform-specific file or directory (like https://github.com/pcfens/puppet-ca_cert/blob/master/manifests/params.pp#L24), and have those be used for https file sources. Would that be sufficient for your use case?

Josh Cooper (Jira)

unread,
May 28, 2020, 1:48:04 PM5/28/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9958

PUP-7814 makes it possible to specify an arbitrary file containing trusted CA certs that will be used when making HTTPS connections using puppet's HTTP client. This won't fix this issue because the apt provider uses open-uri. I think we should move this ticket to the MODULES project.

Josh Cooper (Jira)

unread,
Jun 11, 2020, 12:36:02 AM6/11/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity Night's Watch

Josh Cooper (Jira)

unread,
Jun 11, 2020, 12:36:04 AM6/11/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Epic Link: PUP-9910
Reply all
Reply to author
Forward
0 new messages