Foreman installer sets Apache2 SSLCACertificatePath to system Trust Store
The SSLCACertificatePath of the foreman ssl and puppet master vhost is set to the System Trust Store.
On debian this is:
So every user of a certificate issued by one of these CAs (there are many) can be successfully authenticate
against this apache installation.
Per Default foreman and the puppet master should really only trust his own CA (SSLCACertificateFile).
SSLCACertificatePath should not be set.
I verified this bug, by using an S/MIME valid certificate which I imported into my browser and then calling the Foreman ENC.
Luckily Foreman rejected the request because my E-Mail adress was not listed in the trusted_puppetmaster_hosts. However,
I still think this is a security bug.
The issue is caused by the defaults of the puppetlabs apache module, which turns into a problem if SSL
Client authentication is used.
There were also upstream Pull requests against the puppetlabs module, which to allow unset this Parameter, but unfortunately the default was not changed:
The foreman puppet modules (puppet-foreman, puppet-puppet) should explicitly unset ssl_certs_dir when configuring apache vhosts.
#2 Updated by Markus Frosch about 4 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied in changeset puppet-foreman|08911c3a6c776462fcc1aa99103fe588b8feb365.