Jira (PUP-11471) Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

[Romain Tartière]

Romain Tartière created an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Issue Type: Improvement Assignee: Unassigned Created: 2022/02/26 7:53 PM Priority: Normal Reporter: Romain Tartière On instantiation, a Puppet::HTTP::Client use a Puppet::SSL::Context to verify secure connections to remote hosts.  The Puppet::SSL::Provider provide convenience methods to build SSL Contexts: create_insecure_context: An insecure SSL Context, allowing connections to any host without client certificate authentication; create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication; create_system_context: A basic SSL Context trusting system certificates but not checking CRL and not allowing client certificate authentication; create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication. None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TSL certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files. This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages.   Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Romain Tartière Acceptance Criteria: The following code works: {{{} url = '[https://example.com/file.tar.gz'] # server trusted by system trust store, and demanding a client certificate signed by the puppet CAclient CA{}}}{{{}client = Puppet.runtime[:http] {}}}{{{}provider = Puppet::SSL::SSLProvider.new{}}}{{{} client.get(URI(url), options: \ { ssl_context: ssl_context provider.create_XXX_context }) do |response| {}}}{{  raise 'Failed to download artifact' unless response.success?}} {{{}  response.read_body \{ |data| do_something(data) }{}}}{{{}end{}}}

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Romain Tartière Acceptance Criteria: The following code works: {{{}url = '[https://example.com/file.tar.gz'] # server trusted by system trust store, and demanding a client certificate signed by the puppet CA{}}}{{{}client = Puppet.runtime[:http]{}}}

{{{}provider = Puppet::SSL::SSLProvider.new{}}}{ \ {{}client.get(URI(url), options:

{ ssl_context: provider.create_XXX_context }

) do |response|{}}}{{  raise 'Failed to download artifact' unless response.success?}} {{{}  response.read_body \{ |data| do_something(data) }{ { }}} } {{{}end{}}}

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Romain Tartière Acceptance Criteria: The following code works: { {{ code:java }

url = ' [ https://example.com/file.tar.gz' ] # server trusted by system trust store, and demanding a client certificate signed by the puppet CA {}}}{{{} client = Puppet.runtime[:http] {}}} {{{} provider = Puppet::SSL::SSLProvider.new {}}}{\{{} client.get(URI(url), options: { ssl_context: provider.create_XXX_context } ) do |response| {}}}{{   raise 'Failed to download artifact' unless response.success? }} {{{}   response.read_body \ { |data| do_something(data) } {{}}}}{{{}

end{ code } }}

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Change By: Romain Tartière

On instantiation, a {{Puppet::HTTP::Client}} use a {{Puppet::SSL::Context}} to verify secure connections to remote hosts.  The {{Puppet::SSL::Provider}} provide convenience methods to build SSL Contexts:

# create_insecure_context: An insecure SSL Context, allowing connections to any host without client certificate authentication; # create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication; # create_system_context: A basic SSL Context trusting system certificates but not checking CRL and not allowing client certificate authentication; # create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication.

None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TSL certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files. This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages.

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Romain Tartière Acceptance Criteria:

The following code works: {code:java}

url = 'https://example.com/file.tar.gz' # server trusted by system trust store, and demanding a client certificate signed by the puppet CA

client = Puppet.runtime[:http] provider = Puppet::SSL::SSLProvider.new

client.get(URI(url), options: { ssl_context: provider. create_XXX_context create_hybrid_context }) do |response|

raise 'Failed to download artifact' unless response.success?  response.read_body { |data| do_something(data) } end{code}

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Change By: Romain Tartière

On instantiation, a {{Puppet::HTTP::Client}} use a {{Puppet::SSL::Context}} to verify secure connections to remote hosts.  The {{Puppet::SSL::Provider}} provide convenience methods to build SSL Contexts: # create_insecure_context: An insecure SSL Context, allowing connections to any host without client certificate authentication; # create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication; # create_system_context: A basic SSL Context trusting system certificates but not checking CRL and not allowing client certificate authentication; # create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication.

None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TSL TLS certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files (our rationale is we want to use "standard" certificates to allow access to the files with either login+password or a trusted client certificate, and the code being used by Bolt, it is convenient to rely on Puppet::HTTP::Client to download these files) .

This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages.

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Change By: Romain Tartière

On instantiation, a {{Puppet::HTTP::Client}} use a {{Puppet::SSL::Context}} to verify secure connections to remote hosts.  The {{Puppet::SSL::Provider}} provide convenience methods to build SSL Contexts:

# create_insecure_context: An insecure SSL Context, allowing connections to any host without verification and not allowing client certificate authentication;

# create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication; # create_system_context: A basic SSL Context trusting system certificates but not checking CRL and not allowing client certificate authentication; # create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication.

None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TLS certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files (our rationale is we want to use "standard" certificates to allow access to the files with either login+password or a trusted client certificate, and the code being used by Bolt, it is convenient to rely on Puppet::HTTP::Client to download these files).

This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages.

Add Comment

[Romain Tartière]

Romain Tartière updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Change By: Romain Tartière

On instantiation, a {{Puppet::HTTP::Client}} use a {{Puppet::SSL::Context}} to verify secure connections to remote hosts.  The {{Puppet::SSL::Provider}} provide convenience methods to build SSL Contexts: # create_insecure_context: An insecure SSL Context, allowing connections to any host without verification and not allowing client certificate authentication; # create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication;

# create_system_context: A basic SSL Context trusting system certificates but not checking CRL (because they do not exist) and not allowing client certificate authentication;

# create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication. None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TLS certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files (our rationale is we want to use "standard" certificates to allow access to the files with either login+password or a trusted client certificate, and the code being used by Bolt, it is convenient to rely on Puppet::HTTP::Client to download these files). This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages.

Add Comment

[Romain Tartière]

This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages : # Verify remote host against system trusted CA; # Do not enforce CRL check because there is none for the system trust store; # Authenticate using puppet node certificate .

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Nirupama Mantha Team: Phoenix

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Nirupama Mantha Story Points: 1

Add Comment

[Lisa Ross (Jira)]

Lisa Ross updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Lisa Ross Community Contributors: smortex

Add Comment

[Lisa Ross (Jira)]

Lisa Ross updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Lisa Ross Fix Version/s: PUP 6.27.0

Add Comment

[Lisa Ross (Jira)]

Lisa Ross updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Lisa Ross Sprint: Phoenix 2022-03-30

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Josh Cooper Fix Version/s: PUP 7.16.0

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Josh Cooper Release Notes: Enhancement Release Notes Summary: It's now possible to connect to "https" file sources that require a client certificate for authentication.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Josh Cooper Release Notes Summary: It's You can now possible to connect to specify an "https" URL as the "source" of a " file sources that require " resource when the TLS server requires a client certificate for authentication.

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Nirupama Mantha Sprint: Phoenix 2022-03-30 , Phoenix 2022-04-13

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11471

Re: Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification Passed CI in 79a6ffa87e540053f3a0f87240a996401e6bfe50

Add Comment

[Parker Leach (Jira)]

Parker Leach updated an issue

Puppet / PUP-11471

Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Parker Leach Labels: docs_reviewed

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Josh Cooper Acceptance Criteria:

The following code works: {code:java}url = 'https://example.com/file.tar.gz' # server trusted by system trust store, and demanding a client certificate signed by the puppet CA client = Puppet.runtime[:http] provider = Puppet::SSL::SSLProvider.new

client.get(URI(url), options: { ssl_context include_system_store : provider.create_hybrid_context true }) do |response|

raise 'Failed to download artifact' unless response.success?  response.read_body { |data| do_something(data) } end{code}

Add Comment

[Alvin Rodis (Jira)]

Alvin Rodis updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Alvin Rodis Labels: docs_reviewed jira_escalated

Add Comment

[Alvin Rodis (Jira)]

Alvin Rodis updated an issue

Puppet / PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

Change By: Alvin Rodis Zendesk Ticket Count: 1 Zendesk Ticket IDs: 48141

Add Comment