The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
Allow control over the digest used to create CA certificates
|Affected Puppet version:||3.2.1||Branch:|
|Keywords:||sha256 openssl digest solaris|
If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11.
So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly.
Master: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: OK # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption # openssl version OpenSSL 1.0.0j 10 May 2012 Agent: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: /CN=agent error 7 at 0 depth lookup:certificate signature failure # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: 1.2.840.1135188.8.131.52 Signature Algorithm: 1.2.840.1135184.108.40.206 # openssl version OpenSSL 0.9.7d 17 Mar 2004
#1 Updated by Charlie Sharpsteen almost 3 years ago
- Status changed from Unreviewed to Needs More Information
- Assignee set to Jan Örnstedt
According to the OpenSSL documentation, http://www.openssl.org/docs/ssl/SSL_library_init.html#NOTES, support for SHA256 digests was enabled by default in versions 0.9.8o and 1.0.0a. The earliest OpenSSL version I could find SHA256 algorithm implementations was 0.9.7f —– but these are not enabled by default.
On Solaris 10 the official SUN OpenSSL package is 0.9.7d which is too old for SHA256. The CSW OpenSSL package provides 0.9.8x which is new enough.
Jan, which version of Ruby are you using to run Puppet on Solaris 10? Is there a reason you cant use the CSW Ruby which is built against a newer version of OpenSSL?
#2 Updated by Jan Örnstedt almost 3 years ago
- Assignee changed from Jan Örnstedt to Charlie Sharpsteen
I compile my own version of Ruby and package it. We do not prefer to replace all system libraries for new as we have a support agreement with Oracle. We do not bring in third party packages.
# ruby --version ruby 1.8.7 (2011-06-30 patchlevel 352) [i386-solaris2.10]
Be aware that this also affects the ticket #17295. My suggestion would be that there is someway to configure the CA to use only SHA1 in case you have older agents. I do NOT suggest that we should default to SHA256.
A FAQ entry regarding the issue and a config option to select SHA1 incase your environment is affected by this. I possibly should be mentioned in the install instruction so you don’t have to reissue all certs when you are far into the implementation.
#3 Updated by Charlie Sharpsteen almost 3 years ago
- Tracker changed from Bug to Feature
- Subject changed from SHA256 as digest is not compatible with older versions of openssl to Allow control over the digest used to create CA certificates
- Status changed from Needs More Information to Accepted
- Assignee deleted (
- Priority changed from Normal to Low
Jan, thanks for the additional details—-I’m reclassifying this as a feature request because there hasn’t been any documented configuration setting for the CA cert digest.
I can certainly understand the desire to keep as much infrastructure as possible under the coverage of your support agreement with oracle. I also understand that 2.7.x Puppet Masters used SHA1 for the CA cert digest and 3.x masters have switched to SHA2. However, the real root of the issue is that OpenSSL 0.9.7d is 9 years old and the SUNWopenssl package may be the singular case among our supported platforms where the SSL library is this old. We include a build of 0.9.8x in our Solaris 10 Puppet Enterprise packages for this very reason and will be updating the installation guide to reflect these expectations.
We would gladly review a pull request that implements exposing the CA cert digest as a configuration option but are unlikely to investigate this feature ourselves as long as the driving need is support for outdated SSL libraries.
#4 Updated by Charlie Sharpsteen almost 3 years ago
I should also mention that Puppet 3.2.1 introduced support for plugging into external CA systems. This feature could be used to sidestep the problem at hand. A guide to supported CA configurations and how to set them up can be found here:
#5 Updated by Mark Barry over 2 years ago
I have come across a similar problem where the puppet master is Linux (Linux pmaster 2.6.18-348.18.1.el5 #1 SMP Fri Sep 6 12:37:18 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux) and some agents are running on Solaris 10 (SunOS pagent 5.10 Generic_148888-01 sun4v sparc sun4v).
The work around that I used was to initially create the puppet master on a solaris host, then copy the ssl directory across to the linux host. Solaris: puppet master —certname pmaster.domain.name —confdir /var/tmp/pm —no-daemonize —debug —vardir /var/tmp cd /var/tmp /usr/sfw/bin/gtar zcf ssl.tgz ssl Linux: cd [confdir] gtar zxf /var/tmp/ssl.tgz puppet master —confdir [confdir] —no-daemonize —debug
Restarting the “puppet agent” initialisation process then produces usable certificates on the solaris hosts
Further host information Solaris openssl: /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 Linux openssl: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008