Jira (PUP-10104) puppet device fails when using csr_attributes.yaml

30 views
Skip to first unread message

Jonas Verhofsté

unread,
Oct 15, 2019, 6:08:03 AM10/15/19
to puppe...@googlegroups.com
Jonas Verhofsté created an issue
 
Puppet / Bug PUP-10104
puppet device fails when using csr_attributes.yaml
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2019/10/15 3:07 AM
Priority: Normal Normal
Reporter: Jonas Verhofsté

Whilst trying to use trusted facts for my puppet device, I noticed the `puppet device --target devicename` fail with the error "OBJ_txt2obj: first num too large". However, manually requesting the cert with `puppet ssl` does work and behaves as expected. Guessing it's related to PUP-9746, or at least a similar issue.

Desired Behavior: First `puppet device` run should request a cert with correct extension requests

Actual Behavior: First `puppet device` run fails with "Cannot create CSR with extension request extension_name: OBJ_txt2obj: first num too large"
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Oct 15, 2019, 1:07:04 PM10/15/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (JIRA)

unread,
Oct 15, 2019, 1:08:04 PM10/15/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Labels: beginner

Josh Cooper (JIRA)

unread,
Oct 15, 2019, 1:08:04 PM10/15/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10104
 
Re: puppet device fails when using csr_attributes.yaml

Looks like puppet device has the same problem as puppet ssl did. Really the OID registration should occur in the SSLProvider so that individual applications don't need to.

Josh Cooper (JIRA)

unread,
Oct 15, 2019, 1:10:04 PM10/15/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10104 

$ git --no-pager grep Puppet::SSL::Oids.register_puppet_oids
 
lib/puppet/application/agent.rb:    Puppet::SSL::Oids.register_puppet_oids
 
lib/puppet/application/ssl.rb:    Puppet::SSL::Oids.register_puppet_oids
 
lib/puppet/test/test_helper.rb:      Puppet::SSL::Oids.register_puppet_oids

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 2:05:03 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 2:05:03 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.11.0
Fix Version/s: PUP 6.4.z

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 2:13:03 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Acceptance Criteria: Create a {{csr_attributes.yaml}} file as described in https://puppet.com/docs/puppet/latest/config_file_csr_attributes.html. Run {{puppet agent}}, {{puppet ssl}} and {{puppet device}} and verify the submitted CSR on the CA contains the attributes. For example:

{noformat}
$ cat attributes.yaml
---
custom_attributes:
  1.2.840.113549.1.9.7: 342thbjkt82094y0uthhor289jnqthpc2290
extension_requests:
  pp_uuid: ED803750-E3C7-44F5-BB08-41A04433FE2E
  pp_image_name: my_ami_image
  pp_preshared_key: 342thbjkt82094y0uthhor289jnqthpc2290
$ bundle exec puppet agent -t --certname test1 --csr_attributes attributes.yaml
Info: Creating a new SSL key for test1
Info: csr_attributes file loading from /Users/josh/work/puppet/attributes.yaml
Info: Creating a new SSL certificate request for test1
Info: Certificate Request fingerprint (SHA256): F3:1F:70:8C:96:14:D6:92:33:39:62:3B:76:4E:72:39:8D:6E:D7:5E:72:73:FE:A5:6C:17:5D:CE:01:0F:78:04
Info: Certificate for test1 has not been signed yet
$ openssl req -in ~/.puppetlabs/etc/puppet/ssl/certificate_requests/test1.pem -noout -text
...
        Attributes:
            challengePassword        :342thbjkt82094y0uthhor289jnqthpc2290
        Requested Extensions:
            1.3.6.1.4.1.34380.1.1.1:
                .$ED803750-E3C7-44F5-BB08-41A04433FE2E
            1.3.6.1.4.1.34380.1.1.3:
                ..my_ami_image
            1.3.6.1.4.1.34380.1.1.4:
                .$342thbjkt82094y0uthhor289jnqthpc2290
{noformat}

Jonas Verhofsté

unread,
Nov 8, 2019, 11:25:03 AM11/8/19
to puppe...@googlegroups.com
Jonas Verhofsté assigned an issue to Jonas Verhofsté
Change By: Jonas Verhofsté
Assignee: Jonas Verhofsté

Jonas Verhofsté

unread,
Nov 8, 2019, 11:33:03 AM11/8/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Nov 8, 2019, 3:18:03 PM11/8/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Nov 8, 2019, 3:18:03 PM11/8/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.4.z

Josh Cooper (JIRA)

unread,
Nov 8, 2019, 3:18:03 PM11/8/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Nov 8, 2019, 3:21:03 PM11/8/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: The `csr_attributes.yaml` file can now be specified when requesting a certificate signing request for a device using "puppet device --target devicename"
Release Notes: Bug Fix

Heston Hoffman (JIRA)

unread,
Nov 15, 2019, 6:55:03 PM11/15/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
Change By: Heston Hoffman
Labels: beginner resolved-issue-added
Reply all
Reply to author
Forward
0 new messages