Jira (PUP-11450) Intermediate CA configuration results in error

6 views
Skip to first unread message

Daryl Cashville (Jira)

unread,
Feb 3, 2022, 10:47:01 AM2/3/22
to puppe...@googlegroups.com
Daryl Cashville created an issue
 
Puppet / Bug PUP-11450
Intermediate CA configuration results in error
Issue Type: Bug Bug
Affects Versions: PUP 7.6.0
Assignee: Unassigned
Components: Networking
Created: 2022/02/03 7:46 AM
Priority: Normal Normal
Reporter: Daryl Cashville

New Puppet master on RHEL8, FIPS enabled, with puppetserver-7.6.0-1.el8.noarch installed.

  • Create intermediate CA per docs
  • Setup a new intermediate CA configuration via 'puppetserver ca import'
  • Puppet server certificate is signed with intermediate CA

puppetserver ca list command now outputs the following error:

Error:

    code: 500

    body: Internal Server Error: java.lang.IllegalArgumentException: The PEM stream must contain exactly one object

No certificates to list

puppetserver.log has the following error:

2022-02-03T15:44:49.756Z ERROR [qtp2104016619-45] [p.r.core] Internal Server Error: java.lang.IllegalArgumentExc

eption: The PEM stream must contain exactly one object

        at com.puppetlabs.ssl_utils.SSLUtils.pemToPublicKey(SSLUtils.java:785)

        at com.puppetlabs.ssl_utils.SSLUtils.pemToCaCert(SSLUtils.java:680)

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Atlassian logo

Daryl Cashville (Jira)

unread,
Feb 3, 2022, 5:53:03 PM2/3/22
to puppe...@googlegroups.com
Daryl Cashville commented on Bug PUP-11450
 
Re: Intermediate CA configuration results in error

I figured this out by watching what the server was doing with inotifywatch - the problem was the private keys.  

My cert chain had been constructed with EC keys instead of RSA keys.  I converted the intermediate CA key to PKCS8 format unencrypted but the import process still didn't create a valid ca_key.pem or ca_pub.pem file.  It somehow still managed to sign the puppetserver's cert during the import but it didn't throw an error until I went to start working with the first new client.

So, can EC key support be added as a RFE for a future release ?  It also would have been super helpful if the underlying system had said what file it was referencing when it barfed.

Josh Cooper (Jira)

unread,
Feb 7, 2022, 6:54:03 PM2/7/22
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11450

Hi buzzsaw.code the agent does support EC keys, but not in situations where the agent and server are running on the same host, since the server shares the agent's key and cert and puppetserver does not support EC keys (or the recently proposed Ed25519 keys, see PUP-11439). AFAIK we don't have plans on adding EC key support to puppetserver anytime soon. I'd recommend only using EC keys in cases where you're provisioning an "agent-only" host.

I'm going to move this to the SERVER projects as that's where changes you're suggesting would need to happen.
Reply all
Reply to author
Forward
0 new messages