Using Puppet 4 with external CA and single intermediate CA
524 views
Skip to first unread message
Andreas Paul
Jul 2, 2015, 12:36:52 PM7/2/15
to puppet...@googlegroups.com
Hello there,
I'm trying to bootstrap my new Puppet 4 environment with an external CA as described here: https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca
Here is the important part of the config:
The chain.pem contains both the Root CA and the intermediate CA certificates.
A connection check with openssl works:
and I also added ssl_client_ca_auth to the puppet.conf:
The problem I have is that the client can not get the CRL for the intermediate CA:
When I try to replace /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with a CRL generated from the self-signed Root CA, I get:
My theory is that I need to provide the Puppetserver both CRLs. One issued by the Root CA, if the intermediate CA is still valid and one issued by the intermediate CA if the client cert is still valid.
I tried concatenating both CRLs into /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with different order, but the Puppetserver seems to only use the first CRL found inside.
Is there a way to provide the Puppetserver with both CRLs or is the single intermediate CA architecture even supported with Puppet 4/Puppetserver?
Thanks in advance!
I'm trying to bootstrap my new Puppet 4 environment with an external CA as described here: https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca
Here is the important part of the config:
webserver.conf:
...
ssl-cert : /etc/puppetlabs/puppet/ssl/certs/<puppetca_fqdn>.pem
ssl-key : /etc/puppetlabs/puppet/ssl/private_keys/<puppetca_fqdn>.pem
ssl-ca-cert : /etc/puppetlabs/puppet/ssl/certs/clientsca.pem
ssl-cert-chain : /etc/puppetlabs/puppet/ssl/certs/chain.pem
ssl-crl-path : /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
...
The chain.pem contains both the Root CA and the intermediate CA certificates.
A connection check with openssl works:
$ openssl s_client -verify 2 -CAfile /etc/puppetlabs/puppet/ssl/certs/chain.pem -cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem -key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem -connect localhost:8140 2>/dev/null | grep Verify
Verify return code: 0 (ok)
and I also added ssl_client_ca_auth to the puppet.conf:
[main]
ssl_client_ca_auth = $certdir/chain.pem
The problem I have is that the client can not get the CRL for the intermediate CA:
Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [unable to get certificate CRL for /O=MyCompany/OU=MyUnit/CN=Puppet Clients CA]
When I try to replace /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with a CRL generated from the self-signed Root CA, I get:
Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [unable to get certificate CRL for /CN=<puppetca_fqdn>]
My theory is that I need to provide the Puppetserver both CRLs. One issued by the Root CA, if the intermediate CA is still valid and one issued by the intermediate CA if the client cert is still valid.
I tried concatenating both CRLs into /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with different order, but the Puppetserver seems to only use the first CRL found inside.
Is there a way to provide the Puppetserver with both CRLs or is the single intermediate CA architecture even supported with Puppet 4/Puppetserver?
Thanks in advance!
Andreas Paul
Jul 3, 2015, 6:43:48 AM7/3/15
to puppet...@googlegroups.com
Found a Puppet Server bug which sounds to me like the source of my problem: https://tickets.puppetlabs.com/browse/SERVER-346
Reply all
Reply to author
Forward
0 new messages