Jira (PUP-11522) Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

[Alvin Rodis (Jira)]

Alvin Rodis updated an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store' Change By: Alvin Rodis Labels: jira_escalated Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Alvin Rodis (Jira)]

Alvin Rodis updated an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Alvin Rodis Zendesk Ticket Count: 1 Zendesk Ticket IDs: 48141

Add Comment

[Jarret Lavallee (Jira)]

Jarret Lavallee created an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Issue Type: Bug Affects Versions: PUP 6.27.0, PUP 7.16.0 Assignee: Unassigned Created: 2022/04/26 11:12 AM Priority: Normal Reporter: Jarret Lavallee Puppet Version: 6.27.0 and 7.16.0 Puppet Server Version: N/A OS Name/Version: Any PUP-11471 enabled using the system CA store when using HTTP::Client, however, it did not enable users to use the 'ssl_trust_store' Puppet.conf option with client SSL authentication. After PUP-11471 a user can use 'create_context' or 'load_context' to use client based authentication with 'include_system_store: true' to load the trusted CA certificates from '/opt/puppetlabs/puppet/ssl/certs/' and '/opt/puppetlabs/puppet/ssl/cert.pem'. It does not enable a user to use 'create_context' or 'load_context' to use client based authentication with 'include_system_store: true' to load the trusted CA certificates from the 'ssl_trust_store' Puppet.conf option. The 'ssl_trust_store' Puppet.conf option removes the requirement of using 'c_rehash' or appending the CA bundle to '/opt/puppetlabs/puppet/ssl/cert.pem', which is overwritten on any agent upgrade. When 'include_system_store: true' is passed, 'create_context' should load 'Puppet[:ssl_trust_store]' the same way that 'create_system_context` does here: https://github.com/puppetlabs/puppet/blob/d894861565aa95bd6f4f1cb85fe44ab62cc37854/lib/puppet/ssl/ssl_provider.rb#L73-L89 Desired Behavior: 'create_context' should load the certificates from 'Puppet[:ssl_trust_store]' with 'include_system_store: true'. Actual Behavior: There is no way to load the certificates from 'Puppet[:ssl_trust_store]' with 'create_context'. Using the system context is not an option in this scenario as it does not use the client certificates for authentication. Examples: We would expect the following to use client certificates and load the certificate bundles defined in 'Puppet[:ssl_trust_store]'. It does not work unless the CA certificate is loaded into /opt/puppetlabs/puppet/ssl/certs/ and /opt/puppetlabs/puppet/bin/c_rehash is run. url = 'https://example.com/file.tar.gz' # server trusted by system trust store, and demanding a client certificate signed by the puppet CA client = Puppet.runtime[:http] provider = Puppet::SSL::SSLProvider.new ssl_context = provider.load_context(revocation: false, include_system_store: true) client.get(URI(url), options: { ssl_context: ssl_context }) do |response| raise 'Failed to download artifact' unless response.success?   response.read_body { |data| do_something(data) } end

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11522

Re: Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store' Not sure what happened here, but we'll get this fixed. In cases where SSLProvider accepts include_system_store (like create_context and load_context), it should optionally include CA certs in Puppet[:ssl_trust_store]. In other words, include_system_store and ssl_trust_store are closely linked and should behave that way. Also the intention was to be able to call: post(url, options: { include_system_store }) so that it's not necessary for the caller to create/load an ssl_context.

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11522

Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Nirupama Mantha Fix Version/s: PUP 7.17.0 Fix Version/s: PUP 6.28.0

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Nirupama Mantha Story Points: 2

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Nirupama Mantha Sprint: Phoenix 2022-05-11

Add Comment

[Nirupama Mantha (Jira)]

Nirupama Mantha updated an issue

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Nirupama Mantha Acceptance Criteria: create_context and load_context methods should behave like create_system_context wrt the include system_store parameter and ssl_trust_store config path setting When using the http client in puppet it should be possible to connect to a https server that requires client certs and who's server cert issues by a third party CA Eg. should be possible to call post(url, include system_store true) and connect to server described above

Add Comment

[Jarret Lavallee (Jira)]

Jarret Lavallee commented on PUP-11522

Re: Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store' The problem with {{post(url, options: { include_system_store } )}} is that it uses the system SSL context, which does include the CA certs in Puppet[:ssl_trust_store], but does not include the client certificates. https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/client.rb#L461-L470 As a part of this, the HTTP::Client will probably need to be updated to use create_context or load_context with the include_system_store and ssl_trust_store options that are added/modified. Is there a use case for using the system context and not the client context within HTTP::Client?

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11522

Re: Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Yeah jarret.lavallee that's correct. The use case for "create_system_context" is when the agent is bootstrapping itself and has a CA & CRL, but doesn't yet have a client cert. For example, when submitting its CSR. The HTTP client will be updated as part of this ticket to no longer call "create_system_context".

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11522

Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Josh Cooper Acceptance Criteria: create_context and load_context methods should behave like create_system_context wrt the include system_store include_system_store parameter and ssl_trust_store config path setting When using the http client in puppet it should be possible to connect to a https server that requires client certs and who's whose server cert issues is issued by a third party CA Eg. should be possible to call post(url, include system_store include_system_store: true) and connect to server described above

Add Comment

[Josh Cooper (Jira)]

Josh Cooper assigned an issue to Josh Cooper

Puppet / PUP-11522 Allow Puppet::HTTP::Client to connect to a server the puppet certificate for client authentication and 'ssl_trust_store'

Change By: Josh Cooper Assignee: Josh Cooper

Add Comment