Puppet: System Administration Automated

Support

Ticket #1168 (assigned defect)

Opened 9 months ago

Last modified 8 months ago

Master-side client certificates convert hostnames to lowercase

Reported by: mikebrittain Assigned to: luke (accepted)
Priority: normal Milestone: 0.24.5
Component: unknown Version: 0.22.4
Severity: normal Keywords:
Cc: Triage Stage: Accepted
Attached Patches: None Complexity: Trivial

Description (Last modified by luke)

I'm trying to use master-side certificate generation with hosts at Amazon's EC2 service. Internal hostnames there use mixed-case names: 

  domU-12-31-12-34-56-78.compute-1.internal

Note the "U" is upper-case.

I build a set of certificates for this client: 

  puppetca --generate domU-12-31-12-34-56-78.compute-1.internal

Resulting files are: 

  ./private_keys/domu-12-31-12-34-56-78.compute-1.internal.pem
  ./certs/domu-12-31-12-34-56-78.compute-1.internal.pem
  ./ca/signed/domu-12-31-12-34-56-78.compute-1.internal.pem

Note all lower-case "u"s in "domu".

When I put these onto the puppet client, they are mis-matched between hostname and filenames. The client (when started) ends up creating new keys with mixed-case names next to the versions that were copied from the Puppet master server: 

  -rw------- 1 root root domU-12-31-12-34-56-78.compute-1.internal.pem
  -r-------- 1 root root domu-12-31-12-34-56-78.compute-1.internal.pem

It's very possible this is invalid. I don't know the specs surrounding certificate generation.

Change History

04/03/08 12:27:43 changed by jamtur01

  • owner changed from community to luke.
  • complexity changed from Unknown to Trivial.
  • stage changed from Unreviewed to Accepted.

Yes - the :generate mode (and the other puppetca modes) do: 

if [:verify, :print, :generate, :clean, :revoke, :list].include?(mode)
    hosts = ARGV.collect { |h| h.downcase }
end

This downcases all the hostnames. Easy enough to change but I am not sure why it is downcased.

Luke?

04/03/08 17:38:31 changed by luke

DNS is case insensitive:

http://www.rfc-archive.org/getrfc.php?rfc=4343

Not the best link, but sufficient evidence.

The real fix here is to find the place that does *not* downcase the hostname.

04/03/08 18:19:01 changed by mikebrittain

Right, I assumed that case should be insensitive, and I'm all for normalizing the filenames for certs per host... i.e. all lowercase.

So as I understand it, when the master server receives a request from the client, the master needs to downcase the incoming hostname before checking for the signed cert.

FWIW, the hostnames are stored in mixed-case in the /var/lib/puppet/ssl/ca/inventory.txt for my installation.

I also see a mixed case csr_domu-12-31-12-34-56-78.compute-1.internal.pem file in /var/lib/puppet/ssl. I don't know for certain whether that's from the incoming certificate request, or whether it's from a master-side generated cert.

04/03/08 18:20:50 changed by luke

It's from the incoming request.

Sounds like we're about to get another bug filed by martha related to consistent node names, so I think the right approach is to start using the Node class as a way to canonize node names.

Once martha's bug is filed, we'll see what makes the most sense in terms of consolidating them.

04/09/08 06:57:33 changed by luke

  • status changed from new to assigned.
  • description changed.

04/24/08 07:24:14 changed by luke

  • component changed from library to unknown.

05/13/08 00:08:10 changed by luke

  • milestone set to 0.24.5.