Puppet users - Nov 2007 - Interaction bug between Puppet CA and mod_ssl

Hello Puppet Users,

I have encountered an interaction problem between the Puppet CA and Apache
mod_ssl, when the Puppet CA configuration files are moved.

By default Puppet CA and the Puppet client share the same location for their
configuration files, $vardir/ssl.  If this is changed so that they use
different directories, and Apache mod_ssl is being used like in the Mongrel
configuration, then the Puppet client which runs on the same host as Puppet CA
will be unable to authenticate, with the following message in the Apache httpd
error log:

   [warn] Invalid signature on CRL
   [error] Certificate Verification: Error (8): CRL signature failure

I suspect that what has happened is that the client''s and CA''s
certificates
have the same Subject, the fqdn of the host, and when mod_ssl attempts to
verify the signature on the CRL, it uses the client''s certificate,
which of
course fails, and doesn''t bother to try the CA''s certificate
specified in its
configuration file.  This same issue was brought up on the mod_ssl mailing list
5 years ago, with no further discussion:

   http://www.mail-archive.com/modssl-users@modssl.org/msg14310.html

I have not examined the mod_ssl code to be certain that this is in fact the
problem.

However, I have come up with a way of dealing with the problem, I made changes
to the puppetca code to provide a configuration parameter allowing the Subject
of the CA certificate to be specified.  I preferred to keep the Subject of the
clients'' certificates intact, because they are much more useful.  I
include a
patch below.

I am happy to document this on the Wiki, if someone could suggest an
appropriate location.

Hoping this helps someone out there,
Alex

--- configuration.rb-orig       2007-11-01 21:19:47.000000000 -0400
+++ configuration.rb    2007-11-01 21:03:27.000000000 -0400
@@ -136,6 +136,8 @@
     Puppet.setdefaults(:ssl,
         :certname => [fqdn, "The name to use when handling
certificates.  Defaults
             to the fully qualified domain name."],
+        :caname => [fqdn, "The name used for the CA certificate. 
Defaults
+            to the fully qualified domain name."],
         :certdir => ["$ssldir/certs", "The certificate
directory."],
         :publickeydir => ["$ssldir/public_keys", "The public
key directory."],
         :privatekeydir => { :default => "$ssldir/private_keys",


--- sslcertificates/ca.rb-orig  2007-11-01 21:28:32.000000000 -0400
+++ sslcertificates/ca.rb       2007-11-01 21:28:47.000000000 -0400
@@ -142,13 +142,8 @@
 
     # Create the root certificate.
     def mkrootcert
-        # Make the root cert''s name the FQDN of the host running the
CA.
-        name = Facter["hostname"].value
-        if domain = Facter["domain"].value
-            name += "." + domain
-        end
         cert = Certificate.new(
-            :name => name,
+            :name => Puppet[:caname],
             :cert => @config[:cacert],
             :encrypt => @config[:capass],
             :key => @config[:cakey],

On Nov 2, 2007, at 1:14 AM, Alexander Taler wrote:
> Hello Puppet Users,
>
> I have encountered an interaction problem between the Puppet CA and  
> Apache
> mod_ssl, when the Puppet CA configuration files are moved.
> [...]
> However, I have come up with a way of dealing with the problem, I  
> made changes
> to the puppetca code to provide a configuration parameter allowing  
> the Subject
> of the CA certificate to be specified.  I preferred to keep the  
> Subject of the
> clients'' certificates intact, because they are much more useful. 
I
> include a
> patch below.
>
> I am happy to document this on the Wiki, if someone could suggest an
> appropriate location.
[...]

If you could file this as a bug with a patch, I would appreciate it.

  --
  Silence is a text easy to misread.
      -- A. A. Attanasio, ''The Eagle and the Sword''
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com