Project

General

Profile

Bug #18149

Puppet CA returns invalid certificates if using organizational units in the distinguished name

Added by Alexander Olofsson about 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Alexander Olofsson
Category:
Puppet
Target version:
1.14.1
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/smart-proxy/pull/496
Fixed in Releases:
Found in Releases:
Foreman - 1.14.0
Red Hat JIRA:

Description

When setting up MCollective for orchestration, and signing client certificates into a separate OU, like the following;

# puppet cert --list --all | grep foreman-proxy.mcollective
+ "foreman-proxy.mcollective"                 (SHA256) ...
# cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt | grep foreman-proxy.mcollective
0xffff 2017-01-17T13:08:26UTC 2022-01-17T13:08:26UTC /CN=foreman-proxy.mcollective/OU=mcollective

Then the returned JSON from the CA proxy fails to concatenate the data, resulting in output like the following;

"foreman-proxy.mcollective": {
    "fingerprint": "SHA256",
    "state": "valid" 
},
"foreman-proxy.mcollective/OU=mcollective": {
    "not_after": "2022-01-17T13:08:26UTC",
    "not_before": "2017-01-17T13:08:26UTC",
    "serial": 1449
},

When this invalid data finally makes it's way up to the Foreman web-UI, then the CA smart proxy page fails to render, which ends up as an inconvenience at best.

Attached is a workaround that has been tested on our Foreman instance, and successfully proven to work around the issue.
I'm unsure if the fix is the best - or even the correct - way to solve the issue however, so going to wait for a comment or two on it before throwing up a pull request for it.

0001-Strip-OU-from-certificate-names-in-CA-inventory.patch 0001-Strip-OU-from-certificate-names-in-CA-inventory.patch 1.18 KB Alexander Olofsson, 01/19/2017 03:47 AM

Associated revisions

Revision 5bef03a0 (diff)
Added by Alexander Olofsson about 6 years ago

Fixes #18149 - Duplicates due to OU in certnames

Adds test case for certs with OU entries in their subjects.

History

#1 Updated by Dominic Cleal about 6 years ago

  • Is duplicate of Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list. added

#2 Updated by Dominic Cleal about 6 years ago

  • Status changed from New to Duplicate

Thanks for the report. This issue is currently being fixed under ticket #18040.

#3 Updated by Dominic Cleal about 6 years ago

  • Is duplicate of deleted (Bug #18040: Certificates with OU= give an error when listing smart-proxy cert list.)

#4 Updated by Dominic Cleal about 6 years ago

  • Status changed from Duplicate to New

Oh, apologies, I see now - there's a bug in the smart proxy response too. Please do open a PR for a review.

#5 Updated by The Foreman Bot about 6 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/496 added

#6 Updated by Alexander Olofsson about 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Dominic Cleal about 6 years ago

  • Assignee set to Alexander Olofsson
  • Legacy Backlogs Release (now unused) set to 210

Also available in: Atom PDF