Project

General

Profile

Actions

Bug #18149

closed

Puppet CA returns invalid certificates if using organizational units in the distinguished name

Added by Alexander Olofsson over 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Puppet
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When setting up MCollective for orchestration, and signing client certificates into a separate OU, like the following;

# puppet cert --list --all | grep foreman-proxy.mcollective
+ "foreman-proxy.mcollective"                 (SHA256) ...
# cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt | grep foreman-proxy.mcollective
0xffff 2017-01-17T13:08:26UTC 2022-01-17T13:08:26UTC /CN=foreman-proxy.mcollective/OU=mcollective

Then the returned JSON from the CA proxy fails to concatenate the data, resulting in output like the following;

"foreman-proxy.mcollective": {
    "fingerprint": "SHA256",
    "state": "valid" 
},
"foreman-proxy.mcollective/OU=mcollective": {
    "not_after": "2022-01-17T13:08:26UTC",
    "not_before": "2017-01-17T13:08:26UTC",
    "serial": 1449
},

When this invalid data finally makes it's way up to the Foreman web-UI, then the CA smart proxy page fails to render, which ends up as an inconvenience at best.

Attached is a workaround that has been tested on our Foreman instance, and successfully proven to work around the issue.
I'm unsure if the fix is the best - or even the correct - way to solve the issue however, so going to wait for a comment or two on it before throwing up a pull request for it.


Files

Actions #1

Updated by Dominic Cleal over 7 years ago

  • Is duplicate of Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list. added
Actions #2

Updated by Dominic Cleal over 7 years ago

  • Status changed from New to Duplicate

Thanks for the report. This issue is currently being fixed under ticket #18040.

Actions #3

Updated by Dominic Cleal over 7 years ago

  • Is duplicate of deleted (Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list.)
Actions #4

Updated by Dominic Cleal over 7 years ago

  • Status changed from Duplicate to New

Oh, apologies, I see now - there's a bug in the smart proxy response too. Please do open a PR for a review.

Actions #5

Updated by The Foreman Bot over 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/496 added
Actions #6

Updated by Alexander Olofsson over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #7

Updated by Dominic Cleal over 7 years ago

  • Assignee set to Alexander Olofsson
  • Translation missing: en.field_release set to 210
Actions

Also available in: Atom PDF