The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Feature #21257

Add a configuration option for the digest algorithm used by the CA to sign certificates

Added by James Perry almost 3 years ago. Updated almost 3 years ago.

Status:Needs DecisionStart date:
Priority:NormalDue date:
Assignee:eric sorenson% Done:

0%

Category:SSL
Target version:-
Affected Puppet version: Branch:
Keywords:certificate_authority digest

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

When working on ancient HPUX boxes where we are trying to install puppet, I found the bug 17295 (http://projects.puppetlabs.com/issues/17295) where it described the exact problem. I have 3.1.0 running on a SUSE 11 SP2 box and so I tried to do the “puppet cert generate —digest SHA1 host.com” but it still generated a SHA256.

Next I followed a suggestion in another thread that said to flip the SHA1 and SHA256 sections. I regenerated the certificate and it worked to give an SHA1, but when I ran with —digest SHA256, I still got SHA1 certificates. As another test, I ran it with —digest doggy and expected and error but still got an SHA1 certificate.

I do not even consider myself a Ruby programmer yet, but it seems that no matter what is passed to the “OpenSSL::Digest.const_defined?(‘SHA256’)” or “OpenSSL::Digest.const_defined?(‘SHA1’) it always appears to assume true so it does not really seem to be checking the value provided.

OS: SUSE 11 SP2 (Kernal 3.0.13-0.27-default)
Ruby: ruby 1.8.7 (2011-12-28 patchlevel 357) [x86_64-linux]
Puppet: 3.1.0
Facter: 1.6.17

Please let me know what additional troubleshooting I can provide or output to aid troubleshooting. My version of certificate_signer.rb (modified to make HPUX 11.11 client work on ssl 0.9.7) has SHA1 first in the if block.

Here is the verbose output when generating a new key: puppet cert generate —digest SHA256 test.com —verbose Info: Creating a new SSL key for test.com Info: Creating a new SSL certificate request for test.com Info: Certificate Request fingerprint (SHA1): 69:C6:EE:E2:7F:99:A5:D5:91:F2:53:30:36:29:A2:31:39:C6:E6:DF Notice: test.com has a waiting certificate request Info: authstore: defaulting to no access for test.com Notice: Signed certificate request for test.com Notice: Removing file Puppet::SSL::CertificateRequest test.com at ‘/etc/puppet/ssl/ca/requests/test.com.pem’ Notice: Removing file Puppet::SSL::CertificateRequest test.com at ‘/etc/puppet/ssl/certificate_requests/test.com.pem’

And another with —digest sha256 just in case it is a case issue.

puppet cert generate --digest sha256 test.com --verbose           Info: Creating a new SSL key for test.com
Info: Creating a new SSL certificate request for test.com
Info: Certificate Request fingerprint (SHA1): 54:97:6A:17:18:F2:6E:D7:53:FF:39:23:B9:91:37:89:F1:64:85:4E
Notice: test.com has a waiting certificate request
Info: authstore: defaulting to no access for test.com
Notice: Signed certificate request for test.com
Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem'

And just to illustrate the behavior is not specific to method I used —digest doggy_barks_a_lot. This should invoke Puppet::Error —> “No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest”, but does not.

puppet cert generate --digest doggy_barks_a_lot test.com --verbose
Info: Creating a new SSL key for test.com
Info: Creating a new SSL certificate request for test.com
Info: Certificate Request fingerprint (SHA1): 7F:4F:9E:D8:82:86:92:6B:A0:78:EA:3C:7B:35:3F:79:19:34:8D:85
Notice: test.com has a waiting certificate request
Info: authstore: defaulting to no access for test.com
Notice: Signed certificate request for test.com
Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/ca/requests/test.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest test.com at '/etc/puppet/ssl/certificate_requests/test.com.pem'

** Due to age of servers and inability to patch OpenSSL on these boxes, the SHA1 certificates are needed but everywhere else the SHA256 works fine.


Related issues

Related to Puppet - Bug #17295: Puppet not honouring --digest Closed
Related to Puppet - Feature #8120: Let user change hashing algorithm, to avoid crashing on F... Code Insufficient 06/28/2011
Related to Puppet - Feature #21029: Allow control over the digest used to create CA certificates Accepted

History

#1 Updated by Charlie Sharpsteen almost 3 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Puppet 3.1.0 certificate_signer.rb not applying digest parameter correctly to Add a configuration option for the digest algorithm used by the CA to sign certificates
  • Description updated (diff)
  • Category set to SSL
  • Status changed from Unreviewed to Needs Decision
  • Assignee set to eric sorenson
  • Keywords set to certificate_authority digest

SHA256 is used by the Puppet 3.x certificate authority to sign generated certificates. This means that in order to communicate with a Puppet master running 3.x, you will need to be using OpenSSL 0.9.8o or newer. A possible workaround introduced in 3.2.1 is the ability to run an external certificate authority.

The documentation concerning the --digest option needs to be clarified. The issue is that there are at least two places where digest algorithm choice comes into play: fingerprinting existing certificates and signing generated certificates. The --digest option to puppet agent and puppet cert only affects fingerprinting existing certs.

Given that there is no user-facing method to control the digest algorithm used to sign generated certificates, I’m re-classifying this as a feature request.

Also available in: Atom PDF