Hello! The FAQ contains an entry about autosigning: http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients It says:> The certificate itself is stored, so two nodes could not connect withthe same CN I tried this (using 0.25.4), and actually, that doesn''t seem to be correct. I was able to run puppetd on two different nodes, each with the option "--fqdn alice.mydomain.com", with autosigning enabled for "*.mydomain.com" on the server. Both nodes requested to get their individual certificates signed, and both were signed without complains. The CA doesn''t care about already signed certificates with the same CN. And yes, after this, both nodes were treated as if they were "alice.mydomain.com". More from the FAQ:> The problem lies in the fact that the puppetmaster does not make a 1-1mapping between a > node and the first certificate it saw for it, and hence multiple certificates can map to > the same node, for example:" Yep, that seems to be true. But the following example is unnecessary complicated. It says:> * alice.mydomain.com connects, gets node alice { } definition. > * bob.mydomain.com connects with CN alice.bob.mydomain.com, > and also matches node alice { } definition. "This led my to believe that specifying the nodes in my manifests using fully qualified names could help, but it does not, since "bob.mydomain.com" can simple pretend to be "alice.mydomain.com" as well. Are there any plans to improve security for autosigning, i.e. to prevent re-signing a certificate for a CN (or node) that already has a signed certificate? Best Regards, Claus -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2010-Mar-06 16:29 UTC
Re: [Puppet Users] About autosigning and the FAQ entry
On Fri, Mar 5, 2010 at 2:20 PM, Claus Divossen <claus.divossen@t-online.de> wrote:> Hello! > > The FAQ contains an entry about autosigning: > > http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients > > It says: > >> The certificate itself is stored, so two nodes could not connect with > the same CN > > I tried this (using 0.25.4), and actually, that doesn''t seem to be > correct. I was able to run puppetd on two different nodes, each with the > option "--fqdn alice.mydomain.com", with autosigning enabled for > "*.mydomain.com" on the server. Both nodes requested to get their > individual certificates signed, and both were signed without complains. > The CA doesn''t care about already signed certificates with the same CN. > And yes, after this, both nodes were treated as if they were > "alice.mydomain.com".Did both nodes actually show the same value for ''certname'' however? And that''s definitely the CN for both certs when you inspect them?> > More from the FAQ: > >> The problem lies in the fact that the puppetmaster does not make a 1-1 > mapping between a > node and the first certificate it saw for it, and > hence multiple certificates can map to > the same node, for example:" > > Yep, that seems to be true. But the following example is unnecessary > complicated. It says: > >> * alice.mydomain.com connects, gets node alice { } definition. >> * bob.mydomain.com connects with CN alice.bob.mydomain.com, >> and also matches node alice { } definition. " > > This led my to believe that specifying the nodes in my manifests using > fully qualified names could help, but it does not, since > "bob.mydomain.com" can simple pretend to be "alice.mydomain.com" as > well. > > Are there any plans to improve security for autosigning, i.e. to > prevent re-signing a certificate for a CN (or node) that already has a > signed certificate? > > Best Regards, > Claus > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Claus Divossen
2010-Mar-06 23:26 UTC
Re: [Puppet Users] About autosigning and the FAQ entry
Hello, > Did both nodes actually show the same value for ''certname'' however? > And that''s definitely the CN for both certs when you inspect them?Yes, when I check the certs with openssl, the CNs of the certs are identical, although the cert keys are not. I also see "Compiled catalog for alice.mydomain.com" in the puppetmaster log for the runs of both nodes, and manifests for alice.mydomain.com are applied to both nodes. The CA simply overwrites the old certificate when the second node shows up with a new cert request. And the puppetmaster doesn''t care about the stored certificates anyway. When each node presents its cert to the server, the cert itself contains the signature that will be cryptographically validated and the puppetmaster accepts it when this test is passed. Regards, Claus On Sat, 2010-03-06 at 08:29 -0800, Nigel Kersten wrote:> On Fri, Mar 5, 2010 at 2:20 PM, Claus Divossen > <claus.divossen@t-online.de> wrote: > > Hello! > > > > The FAQ contains an entry about autosigning: > > > > http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients > > > > It says: > > > >> The certificate itself is stored, so two nodes could not connect with > > the same CN > > > > I tried this (using 0.25.4), and actually, that doesn''t seem to be > > correct. I was able to run puppetd on two different nodes, each with the > > option "--fqdn alice.mydomain.com", with autosigning enabled for > > "*.mydomain.com" on the server. Both nodes requested to get their > > individual certificates signed, and both were signed without complains. > > The CA doesn''t care about already signed certificates with the same CN. > > And yes, after this, both nodes were treated as if they were > > "alice.mydomain.com". > > Did both nodes actually show the same value for ''certname'' however? > And that''s definitely the CN for both certs when you inspect them? >[...]> -- > nigel >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2010-Mar-07 01:45 UTC
Re: [Puppet Users] About autosigning and the FAQ entry
On Sat, Mar 6, 2010 at 3:26 PM, Claus Divossen <claus.divossen@t-online.de> wrote:> Hello, > >> Did both nodes actually show the same value for ''certname'' however? >> And that''s definitely the CN for both certs when you inspect them? > > Yes, when I check the certs with openssl, the CNs of the certs are > identical, although the cert keys are not. I also see "Compiled catalog > for alice.mydomain.com" in the puppetmaster log for the runs of both > nodes, and manifests for alice.mydomain.com are applied to both nodes. > > The CA simply overwrites the old certificate when the second node shows > up with a new cert request. And the puppetmaster doesn''t care about the > stored certificates anyway. When each node presents its cert to the > server, the cert itself contains the signature that will be > cryptographically validated and the puppetmaster accepts it when this > test is passed.That''s not true for 0.24.x. If cert "foo" exists (the public cert on the CA) and someone else requests "foo", the second autosign will fail. Claus, this is a huge bug if you''ve confirmed it.> > Regards, > Claus > > On Sat, 2010-03-06 at 08:29 -0800, Nigel Kersten wrote: >> On Fri, Mar 5, 2010 at 2:20 PM, Claus Divossen >> <claus.divossen@t-online.de> wrote: >> > Hello! >> > >> > The FAQ contains an entry about autosigning: >> > >> > http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients >> > >> > It says: >> > >> >> The certificate itself is stored, so two nodes could not connect with >> > the same CN >> > >> > I tried this (using 0.25.4), and actually, that doesn''t seem to be >> > correct. I was able to run puppetd on two different nodes, each with the >> > option "--fqdn alice.mydomain.com", with autosigning enabled for >> > "*.mydomain.com" on the server. Both nodes requested to get their >> > individual certificates signed, and both were signed without complains. >> > The CA doesn''t care about already signed certificates with the same CN. >> > And yes, after this, both nodes were treated as if they were >> > "alice.mydomain.com". >> >> Did both nodes actually show the same value for ''certname'' however? >> And that''s definitely the CN for both certs when you inspect them? >> > [...] >> -- >> nigel >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Claus Divossen
2010-Mar-07 15:23 UTC
Re: [Puppet Users] About autosigning and the FAQ entry
Hi! > Claus, this is a huge bug if you''ve confirmed it.So, this behaviour is not itentional? Well, that explains a lot. Just to be sure, I just made a third node pretend to be alice.mydomain.com, and again, the new cert got signed from the CA. Can anyone else confirm this behaviour for 0.25.4? Regards, Claus On Sat, 2010-03-06 at 17:45 -0800, Nigel Kersten wrote:> On Sat, Mar 6, 2010 at 3:26 PM, Claus Divossen > <claus.divossen@t-online.de> wrote: > > Hello, > > > >> Did both nodes actually show the same value for ''certname'' however? > >> And that''s definitely the CN for both certs when you inspect them? > > > > Yes, when I check the certs with openssl, the CNs of the certs are > > identical, although the cert keys are not. I also see "Compiled catalog > > for alice.mydomain.com" in the puppetmaster log for the runs of both > > nodes, and manifests for alice.mydomain.com are applied to both nodes. > > > > The CA simply overwrites the old certificate when the second node shows > > up with a new cert request. And the puppetmaster doesn''t care about the > > stored certificates anyway. When each node presents its cert to the > > server, the cert itself contains the signature that will be > > cryptographically validated and the puppetmaster accepts it when this > > test is passed. > > That''s not true for 0.24.x. > > If cert "foo" exists (the public cert on the CA) and someone else > requests "foo", the second autosign will fail. > > Claus, this is a huge bug if you''ve confirmed it. >[...]> -- > nigel >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi>> Claus, this is a huge bug if you''ve confirmed it. > > So, this behaviour is not itentional? Well, that explains a lot. > > Just to be sure, I just made a third node pretend to be > alice.mydomain.com, and again, the new cert got signed from the CA. > > Can anyone else confirm this behaviour for 0.25.4?Well I assume this is due to: http://projects.reductivelabs.com/issues/2890 :( :( I didn''t forsee the problem with autosign, as I only add hosts to be autosigned for a very short time with their full fqdn. If you think this matches. Can you add your notes to that ticket? Thanks. cheers pete -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuTyTwACgkQbwltcAfKi3+9WwCfQWs7fMNMdWG75+0lY+Bfuo6U sUIAn2sGW5ec36iaTK+Nm76brbX0zsmM =ISnT -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Claus Divossen
2010-Mar-07 16:13 UTC
Re: [Puppet Users] About autosigning and the FAQ entry
Oh, I think that''s a hit. I just added my comments and reopened that issue. Regards, Claus On Sun, 2010-03-07 at 16:41 +0100, Peter Meier wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > >> Claus, this is a huge bug if you''ve confirmed it. > > > > So, this behaviour is not itentional? Well, that explains a lot. > > > > Just to be sure, I just made a third node pretend to be > > alice.mydomain.com, and again, the new cert got signed from the CA. > > > > Can anyone else confirm this behaviour for 0.25.4? > > Well I assume this is due to: http://projects.reductivelabs.com/issues/2890 > > :( :( > > I didn''t forsee the problem with autosign, as I only add hosts to be > autosigned for a very short time with their full fqdn. > > If you think this matches. Can you add your notes to that ticket? Thanks. > > cheers pete > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkuTyTwACgkQbwltcAfKi3+9WwCfQWs7fMNMdWG75+0lY+Bfuo6U > sUIAn2sGW5ec36iaTK+Nm76brbX0zsmM > =ISnT > -----END PGP SIGNATURE----- >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.