Jira (PUP-9638) Add an option to verify the CA bundle download against a fingerprint

18 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 1:53:03 PM4/10/19
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Improvement PUP-9638
Add an option to verify the CA bundle download against a fingerprint
Issue Type: Improvement Improvement
Assignee: Unassigned
Created: 2019/04/10 10:52 AM
Priority: Normal Normal
Reporter: Josh Cooper

Historically puppet has downloaded the CA bundle using an unauthenticated connection (since we don't have CA bundle yet). This is insecure, but it's how puppet has worked since SSL support was originally added.

It should be possible for puppet to compare the downloaded CA bundle (/etc/puppetlabs/puppet/ssl/certs/ca.pem) against a SHA-256 fingerprint. If the fingerprint does not match, the agent should error, not save the bundle to disk and abort the run.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 1:54:02 PM4/10/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 1:55:02 PM4/10/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Grooming

Josh Cooper (JIRA)

unread,
May 2, 2019, 12:43:04 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.5.0

Jorie Tappa (JIRA)

unread,
May 13, 2019, 12:40:03 PM5/13/19
to puppe...@googlegroups.com
Jorie Tappa commented on Improvement PUP-9638
 
Re: Add an option to verify the CA bundle download against a fingerprint

We need to decide how exactly this will be implemented and what it affects.

Jorie Tappa (JIRA)

unread,
May 13, 2019, 12:41:03 PM5/13/19
to puppe...@googlegroups.com
Jorie Tappa updated an issue
 
Change By: Jorie Tappa
Sprint: Coremunity Grooming Hopper

Josh Cooper (JIRA)

unread,
Jun 11, 2019, 7:23:03 PM6/11/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.5.0
Fix Version/s: PUP 6.y

Josh Cooper (JIRA)

unread,
Jun 11, 2019, 7:23:04 PM6/11/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.y
Fix Version/s: PUP 6.6.0

Josh Cooper (JIRA)

unread,
Jun 17, 2019, 5:31:03 PM6/17/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: If the `ca_fingerprint` puppet setting is set, then newly provisioned agents will verify the CA certificate when it is initially downloaded. This provides a way to securely bootstrap new agents. The setting should be set to the SHA256 digest of the CA certificate, which can be calculated on the puppetserver using:

$ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
67aa4502b29c54f2b0984a322f06032103d75de29401d1b4416cb4f4f6dd8504
Release Notes: Enhancement

Josh Cooper (JIRA)

unread,
Jun 17, 2019, 5:35:02 PM6/17/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
Jun 17, 2019, 5:35:02 PM6/17/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper Platform Core KANBAN

Jorie Tappa (JIRA)

unread,
Jun 28, 2019, 7:07:02 PM6/28/19
to puppe...@googlegroups.com
Jorie Tappa commented on Improvement PUP-9638
 
Re: Add an option to verify the CA bundle download against a fingerprint

merged to master at cd8d2d03291320a840cd0cdd5c08df62585504e7

Josh Cooper (JIRA)

unread,
Jul 15, 2019, 4:14:03 PM7/15/19
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-9638

Passed CI in f29b9681e7

Jean Bond (JIRA)

unread,
Jul 19, 2019, 4:03:03 PM7/19/19
to puppe...@googlegroups.com
Jean Bond commented on Improvement PUP-9638

Hey Josh Cooper, just to clarify, if I'm the user trying to get the SHA256 digest of the CA certificate, I run that openssl command on the master? And I assume the number in that is a SHA that is returned, not part of the command; so the command I run is:

$ openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '

?

Josh Cooper (JIRA)

unread,
Jul 19, 2019, 6:00:14 PM7/19/19
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-9638

I run that openssl command on the master?

Yep on the master (or the CA if Puppet[:ca_server] is overridden). Maybe better to phrase it as whichever host the agent downloads the CA bundle from?

And I assume the number in that is a SHA that is returned

Yep exactly

Jean Bond (JIRA)

unread,
Jul 19, 2019, 6:21:03 PM7/19/19
to puppe...@googlegroups.com
Jean Bond updated an issue
 
Change By: Jean Bond
Labels: resolved-issue-added
Reply all
Reply to author
Forward
0 new messages