-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509 format - PuppetServer (Jruby) - SSL certificate not valid #40
Comments
Thanks for the heads up! Also note the issue I made regarding constraints that shows a similar problem/behavior: jruby/jruby#3502 Something is broken with openssl in jruby or we're using it wrong.... |
Also related jruby/jruby-openssl#102 |
So in the past 3 years jruby got a bit better and SANs and authorityKeyIdentifier are working. Though nameconstraints are still an issue. However nameconstraints are only an issue when a CA is initially created and you can do that manually once outside of puppetserver (and thus jruby) if you want to use nameconstraints. Example:
/opt/puppetlabs/puppet/bin/ruby myfile.rb This will create a CA with proper extensions. |
This is not a real trocla issue, this issue only applies if you are using Trocla with Puppet Server.
PuppetServer uses Jruby 1.7 (PuppetLabs has custom patches for jruby):
if you are using the x509 format option of trocla, trocla can generate new SSL certificates but this certificates are not valid:
(the error message is from bareos)
openssl x509 -in bar.crt -noout -text
Please note the dots before the Subject Alternative Name Value, this is a bug. Our SAN was "foobar.example.com" without the prefix dots, also the Authority Key Identifier is broken.
There is a open bug on Jruby: jruby/jruby#994
A quick workaround is only to remove the create_extention lines of "subjectAltName" and "authorityKeyIdentifier" inside the file formats/x509.rb.
but if you use alternative Names, this workaround breaks your certificates.
The text was updated successfully, but these errors were encountered: