Puppet is correctly embedding the certificate extension and will return it provided the oids have been registered:
[root@ornate-micelle ~]# /opt/puppetlabs/puppet/bin/irb |
irb(main):001:0> require 'puppet' |
=> true |
irb(main):002:0> Puppet.initialize_settings |
=> [:debug, :info, :notice, :warning, :err, :alert, :emerg, :crit] |
irb(main):003:0> x509 = Puppet::SSL::Certificate.from_s(File.read('/etc/puppetlabs/puppet/ssl/certs/ornate-micelle.delivery.puppetlabs.net.pem')) |
=> #<Puppet::SSL::Certificate:0x0000000001de4d78 @name="ornate-micelle.delivery.puppetlabs.net", @content=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=ornate-micelle.delivery.puppetlabs.net>, issuer=#<OpenSSL::X509::Name CN=Puppet Enterprise CA generated at \+2020-01-21 16:43:52 \+0000>, serial=#<OpenSSL::BN:0x0000000001de4968>, not_before=2020-01-21 01:43:17 UTC, not_after=2025-01-20 01:43:17 UTC>> |
irb(main):004:0> x509.custom_extensions |
=> [] |
irb(main):005:0> Puppet::SSL::Oids.register_puppet_oids |
=> true |
irb(main):006:0> x509.custom_extensions |
=> [{"oid"=>"pp_auth_role", "value"=>"taketwo"}]
|
However, the problem is puppetserver provides its own Certificate class which doesn't have the same change that we made. https://github.com/puppetlabs/puppetserver/blob/master/src/ruby/puppetserver-lib/puppet/server/certificate.rb#L46-L49. Given that I'm going to close this as resolved. I'll file a separate SERVER ticket. |