Jira (PUP-10589) Provide the ability to generate a CSR without submitting to the CA

[Josh Cooper (Jira)]

Josh Cooper created an issue

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Issue Type: Improvement Assignee: Unassigned Created: 2020/07/20 2:35 PM Priority: Normal Reporter: Josh Cooper The https://github.com/puppetlabs/puppet-agent-bootstrap application was created to allow the agent to generate a CSR in a way that doesn't requires network access to the CA (since the CA requires the SSL client to provide a client certificate, which the agent doesn't have yet). The application uses Puppet::SSL::Host.localhost to accomplish this and it works in 5.5.x. However, the version in puppet#master does not due to: git bisect good de34cc03d570a7f06b117c1f1387c40cb6353377 is the first bad commit commit de34cc03d570a7f06b117c1f1387c40cb6353377 Author: Maggie Dreyer <mag...@puppet.com> Date: Mon Aug 27 17:09:13 2018 -0700   (PUP-8912) Remove CertificateAuthority, fixup Host   This commit removes the CertificateAuthority class and begins cleaning up the consequences: * Remove CA logic from SSL::Host * Remove certificate_status indirection * Remove CA logic from ssl_file * Get Host unit tests passing In particular, the `Host#ca_location=` method was removed which the bootstrap application used to set to `:none`, to prevent the Host from accessing the CA. We should add a puppet ssl generate_csr action to generate the private key and CSR, but not submit the CSR. Once that's done, puppet-agent-bootstrap could be deprecated and archived. Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10589

Re: Provide the ability to generate a CSR without submitting to the CA Sorry my initial comment wasn't clear. I want to eliminate the need for puppet-agent-bootstrap. AFAIK everything in that module has been implemented in core puppet except for the ability to generate a CSR without connecting to a CA. If that use case is common, then I think we should add it to core puppet (something like puppet ssl generate_csr) and have the Opsworks integration use that. If the use case is specific to Opsworks, then I'm more inclined to patch up the puppet-agent-bootstrap module so that it works with puppet 6. Something like the following would suffice https://gist.github.com/joshcooper/cc3e19dfcf424234c8098ade74b3ff01

Add Comment

[Shaigy Nixon (Jira)]

Shaigy Nixon commented on PUP-10589

Re: Provide the ability to generate a CSR without submitting to the CA

opsworks has the associate-node/disassociate-node work flow as described in these tickets PE-21668 and PE-21669 where a csr is provided to get a certificate for the node. puppet-agent-bootstrap module is used to test that workflow and I can update the module with the code Josh Cooper provided and test it. I am not sure about the use case outside of the above requirement.

Add Comment

[Rob Braden (Jira)]

Rob Braden updated an issue

Puppet / PUP-10589

Provide the ability to generate a CSR without submitting to the CA

Change By: Rob Braden Team: Coremunity

Add Comment

[Rob Braden (Jira)]

Rob Braden updated an issue

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA

Change By: Rob Braden Sprint: Coremunity Hopper

Add Comment

[Cody Herriges (Jira)]

Cody Herriges commented on PUP-10589

Re: Provide the ability to generate a CSR without submitting to the CA Honestly, I haven't been communicating with them either lately. I dropped one email to my old contact from the end of my days doing alliances just to ensure communication was happening and people were not depending on me to do a job I was no longer doing.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10589

Provide the ability to generate a CSR without submitting to the CA

Change By: Josh Cooper Sprint: Coremunity Hopper , Community PRs 2

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Josh Cooper (Jira)]

Josh Cooper assigned an issue to Josh Cooper

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA

Change By: Josh Cooper Assignee: Josh Cooper

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA

Change By: Josh Cooper Labels: tbd

Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA

Change By: Josh Cooper Labels: Easy tbd

Add Comment

This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)

[Nick GW (Jira)]

Nick GW commented on PUP-10589

Re: Provide the ability to generate a CSR without submitting to the CA Please implement this, it'd be super handy for working with external CAs

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10589

Provide the ability to generate a CSR without submitting to the CA

Change By: Josh Cooper Team: Coremunity Phoenix

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10589 Provide the ability to generate a CSR without submitting to the CA Change By: Josh Cooper

The https://github.com/puppetlabs/puppet-agent-bootstrap application was created to allow the agent to generate a CSR in a way that doesn't requires network access to the CA (since the CA requires the SSL client to provide a client certificate, which the agent doesn't have yet). The application uses {{Puppet::SSL::Host.localhost}} to accomplish this and it works in 5.5.x. However, the version in puppet#master does not due to:

{noformat}

git bisect good de34cc03d570a7f06b117c1f1387c40cb6353377 is the first bad commit commit de34cc03d570a7f06b117c1f1387c40cb6353377 Author: Maggie Dreyer <mag...@puppet.com> Date:   Mon Aug 27 17:09:13 2018 -0700     (PUP-8912) Remove CertificateAuthority, fixup Host     This commit removes the CertificateAuthority class and begins cleaning     up the consequences:     * Remove CA logic from SSL::Host     * Remove certificate_status indirection     * Remove CA logic from ssl_file     * Get Host unit tests passing

{noformat}

In particular, the `Host#ca_location=` method was removed which the bootstrap application used to set to `:none`, to prevent the Host from accessing the CA. We should add a {{puppet ssl generate_csr}} action to generate the private key and CSR, but not submit the CSR. Once that's done, puppet-agent-bootstrap could be deprecated and archived.

*UPDATE* It would be fairly trivial to implement this. The {{puppet ssl}} application needs a new action to generate the CSR. It needs to implement this section of code to [load or generate the private key and generate the CSR|https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/lib/puppet/application/ssl.rb#L164-L176]. And then call {{puts csr.to_text}} to write the contents to stdout. Also needs a test in spec/unit/application/ssl_spec.rb

Add Comment