Jira (PUP-11331) puppet-agent again unable to use https on masterless

[Hans Lambermont (Jira)]

Hans Lambermont created an issue

Puppet / PUP-11331 puppet-agent again unable to use https on masterless Issue Type: Bug Affects Versions: PUP 7.11.0 Assignee: Unassigned Created: 2021/10/29 5:17 AM Priority: Normal Reporter: Hans Lambermont Puppet Version: 7.11 Puppet Server Version: none, there is no puppet server OS Name/Version: Ubuntu 20.04 LTS Reporting to puppet-summary via https on a masterless setup fails with : Puppet (err): Failed to initialize SSL: The CA certificates are missing from '/etc/ puppetlabs/puppet/ssl/certs/ca.pem' and later Puppet (err): Failed to initialize SSL: The private key is missing from '/etc/puppe tlabs/puppet/ssl/private_keys/<FQDN>.pem' This is a revisit of PUP-10365 but the fix in there does not help. Desired Behavior: Puppet does not attempt to load these missing CA and private keys on a masterless setup and allows plain https use to report to puppet-summary. Actual Behavior: With /etc/puppetlabs/puppet/puppet.conf : [main] codedir              = <some local directory> report                = true reports              = http, store reporturl           = https://puppet-summary.<internal-domain>/upload disable_warnings       = deprecations puppet fails with : Puppet (err): Failed to initialize SSL: The CA certificates are missing from '/etc/ puppetlabs/puppet/ssl/certs/ca.pem'   If we add a line to some random cert to shut it up like : localcacert            = /etc/ssl/certs/ca-certificates.crt   Then the next error is : Puppet (err): Failed to initialize SSL: The private key is missing from '/etc/puppe tlabs/puppet/ssl/private_keys/<FQDN>.pem'   Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11331

Re: puppet-agent again unable to use https on masterless Puppet attempts to load the default SSLContext, because most of the time we need the client cert for mutual TLS authentication and we want to perform revocation checking (so we need CRLs). But to support this use case, it should be possible for the http processor (or a processor you write) to construct the SSL context directly using CA certs you provide: provider = Puppet::SSL::SSLProvider.new ssl_context = provider.create_system_context(cacerts: [], path: "/etc/ssl/certs/ca-certificates.crt")   http = Puppet.runtime[:http] http.post(url, data, ..., options: { ssl_context: ssl_context }) Note if you need more control over the ssl context, you can use Puppet::X509::CertProvider to load CA certs, and CRLs if want to perform revocation checking. We're unlikely to modify core puppet to support the case where client certs are not issued, but if you'd like to submit a PR to the "http" report processor that'd be great. We'd need a puppet setting like "report_something" that if set allows the "http" process to only trust the system store and disable client/cert & revocation logic.

Add Comment

[Hans Lambermont (Jira)]

Hans Lambermont commented on PUP-11331

Re: puppet-agent again unable to use https on masterless

Hi Josh, Yes this works in 4.10, (and we're preparing to upgrade to 7.x). We would like to see puppet being able to use https without having to provide a CAcert and/or private PEM keys for each and every https server we'd like to talk to and instead just rely on what the OS provides (like it does for curl for instance). We think that is a reasonable feature to ask for.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11331

Re: puppet-agent again unable to use https on masterless

Yes that's fair.

Add Comment

[Hans Lambermont (Jira)]

Hans Lambermont commented on PUP-11331

Re: puppet-agent again unable to use https on masterless

Can we then change Status from 'needs information' to 'accepted' and assign to someone who can implement ?

Add Comment

[Hans Lambermont (Jira)]

Hans Lambermont commented on PUP-11331

Re: puppet-agent again unable to use https on masterless

Please respond

Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11331

Re: puppet-agent again unable to use https on masterless

Hi shapepup if you are a PE customer please reach out to your support contact. If you are an open source user, then we can't guarantee when this issue will be fixed. You are welcome to submit a pull request to resolve the issue and we're generally available in slack if you need pointers on how to get started.

Add Comment