Bug #18149

Puppet CA returns invalid certificates if using organizational units in the distinguished name

Added by Alexander Olofsson 6 months ago. Updated 6 months ago.

Status:Closed
Priority:Normal
Assigned To:Alexander Olofsson
Category:Puppet
Target version:-
Difficulty: Bugzilla link:
Found in release:1.14.0 Pull request:https://github.com/theforeman/smart-proxy/pull/496
Story points-
Velocity based estimate-
Release1.14.1Release relationshipAuto

Description

When setting up MCollective for orchestration, and signing client certificates into a separate OU, like the following;

# puppet cert --list --all | grep foreman-proxy.mcollective
+ "foreman-proxy.mcollective"                 (SHA256) ...
# cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt | grep foreman-proxy.mcollective
0xffff 2017-01-17T13:08:26UTC 2022-01-17T13:08:26UTC /CN=foreman-proxy.mcollective/OU=mcollective

Then the returned JSON from the CA proxy fails to concatenate the data, resulting in output like the following;

"foreman-proxy.mcollective": {
    "fingerprint": "SHA256",
    "state": "valid" 
},
"foreman-proxy.mcollective/OU=mcollective": {
    "not_after": "2022-01-17T13:08:26UTC",
    "not_before": "2017-01-17T13:08:26UTC",
    "serial": 1449
},

When this invalid data finally makes it's way up to the Foreman web-UI, then the CA smart proxy page fails to render, which ends up as an inconvenience at best.

Attached is a workaround that has been tested on our Foreman instance, and successfully proven to work around the issue.
I'm unsure if the fix is the best - or even the correct - way to solve the issue however, so going to wait for a comment or two on it before throwing up a pull request for it.

0001-Strip-OU-from-certificate-names-in-CA-inventory.patch Magnifier (1.18 KB) Alexander Olofsson, 01/19/2017 03:47 AM

Associated revisions

Revision 5bef03a0
Added by Alexander Olofsson 6 months ago

Fixes #18149 - Duplicates due to OU in certnames

Adds test case for certs with OU entries in their subjects.

History

#1 Updated by Dominic Cleal 6 months ago

  • Duplicates Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list. added

#2 Updated by Dominic Cleal 6 months ago

  • Status changed from New to Duplicate

Thanks for the report. This issue is currently being fixed under ticket #18040.

#3 Updated by Dominic Cleal 6 months ago

  • Duplicates deleted (Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list.)

#4 Updated by Dominic Cleal 6 months ago

  • Status changed from Duplicate to New

Oh, apologies, I see now - there's a bug in the smart proxy response too. Please do open a PR for a review.

#5 Updated by The Foreman Bot 6 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/496 added

#6 Updated by Alexander Olofsson 6 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Dominic Cleal 6 months ago

  • Assigned To set to Alexander Olofsson
  • Release set to 1.14.1

Also available in: Atom PDF