The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Feature #8465

allow SSL on reporturl

Added by Lluís Gili almost 5 years ago. Updated over 3 years ago.

Status:ClosedStart date:07/18/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:reports
Target version:3.0.0
Affected Puppet version:2.7.1 Branch:https://github.com/puppetlabs/puppet/pull/445
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

this patch allows to use SSL on reporturl

https://github.com/descala/puppet/commit/8313c4258e3bacac4b1a5f3e57d86a1959d9cac5


Related issues

Related to Puppet - Bug #7173: Puppet master can't submit reports to an HTTP server usin... In Topic Branch Pending Review 04/19/2011
Related to Puppet - Bug #10722: http/https report processors don't error on bad HTTP resp... Closed 11/10/2011
Related to Puppet - Bug #15430: Sending HTTP reports to a non-https reporturl still tries... Accepted 07/09/2012

History

#1 Updated by Peter Meier almost 5 years ago

Should we really disable SSL Verification by default? What is the advantage of using SSL then?

Otherwise I think it should support ssl.

#2 Updated by Lluís Gili almost 5 years ago

shouldn’t disable verification by default, maybe allow it on a puppet.conf parameter. It can be useful if you have dashboard (or other reports destination) configured to run with ssl and on the same host that puppetmaster runs

#3 Updated by James Turnbull over 4 years ago

  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Nigel Kersten

#4 Updated by Nigel Kersten over 4 years ago

  • Status changed from Needs Decision to Needs More Information

I want us to support verification.

Has this patch gone through discussion on the list?

#5 Updated by Ben Hughes over 4 years ago

  • Status changed from Needs More Information to Needs Decision
  • Branch set to https://github.com/barn/puppet/tree/8465/feature/allow_SSL_on_reporturl

Well I’ve updated the patch to support both verify and non-verify.

https://github.com/barn/puppet/commit/c441f796520e5078451f9996a95b6abca0f79479

changed commit to fix require line

#6 Updated by Nigel Kersten over 4 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee deleted (Nigel Kersten)

#7 Updated by Josh Cooper over 4 years ago

In regards to https://github.com/puppetlabs/puppet/pull/175, I think we should just be using the existing method Puppet::Network::HttpPool.http_instance(host, port) to retrieve an http connection instead of re-implementing http client logic. The http_instance method already handles things like http proxy settings, timeouts, and setting up the ssl verification.

If the report server is not the puppet master, then the report server’s root ca can be added to puppets existing cert store (aka Puppet[:localcacert]). Security-wise that would mean puppet agent would not prevent an SSL connection to the report server when downloading a catalog (if it was tricked into connecting to the report server). If that is a concern, then the cert_setup method could be modified to take a trusted cacerts parameter to specify which file to use in each context (for catalogs vs reports).

#8 Updated by Steve Snodgrass over 4 years ago

I just ran into this limitation (inability to submit reports via https) in puppet 2.6.12 and want to throw a “me too!” into the mix. I SSL-enabled my test dashboard instance in preparation for implementing authentication on it, and my reporting broke. There are workarounds involving maintaining an http instance of the dashboard server that is only accessible locally, but they are all ugly and require much more Apache configuration than would be necessary if puppet could submit reports via HTTPS.

I know that reporting doesn’t support authentication either, but I can work around that issue much more easily than it not supporting SSL at all.

#9 Updated by Lauri Tirkkonen about 4 years ago

Josh Cooper wrote:

In regards to https://github.com/puppetlabs/puppet/pull/175, I think we should just be using the existing method Puppet::Network::HttpPool.http_instance(host, port) to retrieve an http connection instead of re-implementing http client logic. The http_instance method already handles things like http proxy settings, timeouts, and setting up the ssl verification.

New pull request https://github.com/puppetlabs/puppet/pull/445

#10 Updated by James Turnbull about 4 years ago

  • Status changed from Accepted to In Topic Branch Pending Review
  • Branch changed from https://github.com/barn/puppet/tree/8465/feature/allow_SSL_on_reporturl to https://github.com/puppetlabs/puppet/pull/445

#11 Updated by Anonymous about 4 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release
  • Target version set to 3.x

Thanks for the submission. That covers everything needed, and I have merged it to Telly as requested.

#12 Updated by Wagner Sartori Junior about 4 years ago

do you know on what version this should be included?

#13 Updated by Wagner Sartori Junior about 4 years ago

I applied this pull request and I’m getting: Mar 12 15:16:54 puppet puppet-master[18910]: Report processor failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

It runs fine applying the other pull request(#175).

#14 Updated by Anonymous about 4 years ago

Wagner Sartori Junior wrote:

do you know on what version this should be included?

It will be released with Telly, the next major version of Puppet. That is due around May 2012.

#15 Updated by Anonymous almost 4 years ago

  • Target version changed from 3.x to 3.0.0

#16 Updated by Matthaus Owens over 3 years ago

  • Status changed from Merged - Pending Release to Closed

Merged in https://github.com/puppetlabs/puppet/commit/ca50b7cd625d654265138ca07106317180ec4c04

Released in Puppet 3.0.0rc1

Also available in: Atom PDF