Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509 format - PuppetServer (Jruby) - SSL certificate not valid #40

Open
hggh opened this issue Sep 21, 2016 · 3 comments
Open

x509 format - PuppetServer (Jruby) - SSL certificate not valid #40

hggh opened this issue Sep 21, 2016 · 3 comments

Comments

@hggh
Copy link
Contributor

hggh commented Sep 21, 2016

This is not a real trocla issue, this issue only applies if you are using Trocla with Puppet Server.

PuppetServer uses Jruby 1.7 (PuppetLabs has custom patches for jruby):

bin/puppetserver ruby --version
jruby 1.7.26 (1.9.3p551) 2016-08-26 69763b8 on OpenJDK 64-Bit Server VM 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14 +jit [linux-amd64]

if you are using the x509 format option of trocla, trocla can generate new SSL certificates but this certificates are not valid:

(50): crypto_openssl.c:1485-0 jcr=7f8ddc001078 Connect failure: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

(the error message is from bareos)

openssl x509 -in bar.crt -noout -text

        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3F:DD:D6:60:41:3D:44:6A:4F:71:C2:EC:8D:91:A1:45:4E:4F:72:CD
            X509v3 Subject Alternative Name: critical
                ..foobar.example.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Authority Key Identifier: 
                0...?..`A=DjOq.....ENOr.
    Signature Algorithm: sha256WithRSAEncryption

Please note the dots before the Subject Alternative Name Value, this is a bug. Our SAN was "foobar.example.com" without the prefix dots, also the Authority Key Identifier is broken.

There is a open bug on Jruby: jruby/jruby#994

A quick workaround is only to remove the create_extention lines of "subjectAltName" and "authorityKeyIdentifier" inside the file formats/x509.rb.

but if you use alternative Names, this workaround breaks your certificates.
@duritong
Copy link
Owner

Thanks for the heads up! Also note the issue I made regarding constraints that shows a similar problem/behavior: jruby/jruby#3502

Something is broken with openssl in jruby or we're using it wrong....

@duritong
Copy link
Owner

Also related jruby/jruby-openssl#102

@duritong
Copy link
Owner

So in the past 3 years jruby got a bit better and SANs and authorityKeyIdentifier are working. Though nameconstraints are still an issue.

However nameconstraints are only an issue when a CA is initially created and you can do that manually once outside of puppetserver (and thus jruby) if you want to use nameconstraints. Example:

require 'trocla'

puts Trocla.new.password('my-ca','x509',
  'CN'        => 'my-ca',
  'profiles'  => ['x509veryverylong' ],
  'name_constraints' => ['example.ch','example2.ch'],
  'become_ca' => true,
  'render' => { 'certonly' => true },
)

/opt/puppetlabs/puppet/bin/ruby myfile.rb

This will create a CA with proper extensions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duritong @hggh