similar to: Announce: Puppet 2.6.12 Available [security update]

Puppet 2.7.8rc1 is available. 2.7.8rc1 contains everything that was being previewed in the 2.7.7rc series as well as some new content. Key highlight in this release (beyond items from 2.7.7rc series) are: * Allow providers to be selected in the run they become suitable * Showdiff is now not auto-enabled when running in noop mode * Provide default subjectAltNames while bootstrapping

We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure. All

Fedora Core 7 has just updated their Ruby package (was 1.8.6.36-3.fc7, is now 1.8.6.110-3.fc7), and the upgrade broke my Puppet installation, and there was a similar report from someone else. Communications between the puppetmasterd and the puppetd running on the same host broke down with the message: Could not retrieve configuration: Certificates were not trusted: hostname not match with

Hi All Apologies if this is obvious, but I''m a bit flaky around SSL certificates. NB puppet version 0.25.5 We use the brilliant feature of certificates where you can have Alternate DNS names for a certificate which is manifested in the puppet master config file as certdnsnames. All our clients connect to puppet-$ location.example.com, and if $location is down, we can point the CNAME to

Hi, I''m rolling out a new Puppet install and am having some problems with certs. I''ve googled and read the docs but can''t find anything. Almost all boxes on the network are dual-homed, with a primary network (VLAN, /27 subnet) for public data and an admin/management network for backups and other backend stuff. All hosts have a primary interface on the main network (and

I''m running a two headed puppetmaster and have disabled crl''s. Let''s call them the primary and the secondary. The primary and secondary both use the primary as their master. The secondary only is used when the primary isn''t responding (I wrap the puppetd call in cron with a short shell script) I''m managing these ca files on the masters, pushing

I''m trying to setup a puppetmaster, and I''ve got a couple of questions. The first, is a design question. Since I expect to eventually have multiple puppetmaster servers, I''d like to name this one to be named puppet1.example.com. But I''d like my clients to connect via a cname as puppet.example.com. Is this pretty standard? Is there some more common way?

Hello, I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with

I''m getting these errors when running ''puppet agent --test'' after doing a new installation of an agent: err: /Stage[main]/Pe_mcollective::Plugins/File[/opt/puppet/libexec/mcollective/mcollective/security/sshkey.rb]/content: change from {md5}512f42272699eaa085c83d2cc67c27ea to {md5}8fa3e9125fd917948445e3d2621d40e5 failed: Could not back up

Hi, I''ve been at it for about 4 days now and I just can''t figure it out. I''m getting the following error when running puppet agent on my masters: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed At startup, I''m running ntpdate (I''ve read in a lot of places that this error occurs when date between servers

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer to balance over some 10 puppetmaster processes. The configured SSLCertificateFile in Apache is that of puppet-new.domain How do I get a node to stop complaining when connecting to puppet-old.domain (ending up at puppet-new.domain through the CNAME)?

My icecast https stream (https://vertenradio.com:8443/stream) does not work on a Sonos ONE player. It might have something to do with the ssl handshake. >From the developer page from sonos i found this: Some common reasons for SSL handshake failures include: ? Expired certificate: Every certificate has a validity window before it expires. You need to present Sonos with unexpired

I thought I read somewhere that the hostnames on replicated dovecot servers had to be different. Is this simply the hostname you specify in the config for dovecot and can this be different than the actual unix hostname? Ethon B. > On Oct 11, 2017, at 11:04 PM, Anvar Kuchkartaev <anvar at anvartay.com> wrote: > > If you are using different hostname for each server then you need

If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be

Folks, Please confirm or correct the following assertions: In Target.td one of the data member fields for class Register is list<string> AltNames. If this is for alternate names for a given register (in Mips $28 and $gp are the same) it would be quite useful for the llvm-mc assembler which has to handle cases where there are multiple names for the same register. A quick recursive grep

Sorry, but when reply I to the list its been moderated and there?s no answer. My last message doesnt even appear ?on http://lists.alioth.debian.org/pipermail/nut-upsuser/2016-June/010182.html The command line works fine and it gave: * Hostname was NOT found in DNS cache * Trying 212.27.40.200... * Connected to smsapi.free-mobile.fr (212.27.40.200) port 443 (#0) * successfully set certificate

Hi All, I think there is a memory error in the libcurl connection code that typically happens when libcurl reads big chunks of data. This potentially affects all code that use url() with the libcurl download method, which is the default in most builds. In practice it tends to happen more with HTTP/2 and if the connection is wrapped into a gzcon(). macOS Catalina has a libcurl build with HTTP/2

Hi All, I am setting up puppetmaster with nginx and passenger and separating the Puppetmaster primary CA server. I have 3 host loadbalancer01 - Nginx doing LB on IP address and also running puppetmaster with passenger under 127.0.0.1 (port 8140). primaryca - Puppetmaster Primary CA pclient - Puppet Client The did the following steps: On Primary CA server: ---------------------------- cd

Greetings! As you undoubtedly know, the fixes for CVE 2007-5162 in ruby break installations where puppetca has created certificates with a CommonName different from the server's real hostname. The Puppet clients quite correctly complains about hostname mismatch. A number of better and worse solutions have been suggested for this problem, especially in ticket #896. IMHO, there are two good