voxpupuli / puppet-ca_cert Goto Github PK

For Red Hat 7 installations, it appears that the invocation of update-ca-trust overwrites /etc/pki/java/cacerts, which occurs during the Exec[enable_ca_trust]

Debug: Exec[enable_ca_trust](provider=posix): Executing check 'update-ca-trust check | grep DISABLED'
Debug: Executing: 'update-ca-trust check | grep DISABLED'

To illustrate this from the command line:

~ # keytool -importcert -noprompt -alias java -file /opt/conf/test.pem -keystore /etc/pki/java/cacerts -trustcacerts
Enter keystore password:  
Certificate was added to keystore
~ # keytool -list -keystore /etc/pki/java/cacerts -alias java
Enter keystore password:  
java, May 24, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): B2:6A:3C:22:CC:49:4B:EF:2F:27:51:74:0F:F9:4F:B6:E1:4F:3G:E3
~ # update-ca-trust check | grep DISABLED
~ # keytool -list -keystore /etc/pki/java/cacerts -alias java
Enter keystore password:  
keytool error: java.lang.Exception: Alias <java> does not exist

This plays havoc while attempting to use https://github.com/puppetlabs/puppetlabs-java_ks:

    java_ks { 'java:cacerts':
      ensure       => latest,
      certificate  => '/opt/conf/test.pem',
      target       => '/etc/pki/java/cacerts',
      password     => 'changeit',
      trustcacerts => true,
      require      => File['/opt/conf/test.pem'],
    }

I understand Red Hat 7 is not inclusive of the supported platforms, but thought some awareness should be raised on this one. Thank you!

after doing some googling it seems that wget will create an empty file even if there was a problem accessing the specified url. i've had this happen a few times and the module does not fix it since it only checks for the presence of the desired file.

Possible solutions are:

wget "url" -O file || rm -f file

• or -

curl -f http://nonexistent/file.jpg -o localfile.jpg

I don't know which is preferred so if you have an opinion on one over the other I'll submit a pull request with the changes.

Hi, I'm still fairly new to puppet so I may be doing something wrong... but when I went to use this package with a reference to ca_cert::ca from one of my classes, I got an unresolved reference to ca_cert::update. I added an "include ::ca_cert::update" to the ca.pp file after the "include ::ca_cert::params" and then it compiled the catalog and worked as expected. Just wanted to check if this is an error or if I am not configuring something correctly in how my class uses the ca_cert package.

https://github.com/pcfens/puppet-ca_cert/blob/master/manifests/params.pp#L28

The Red Hat package has it at 0755. Why do you set it to 0555? And there doesn't even appear to be a parameter I can pass in to set it to 0755.

I'll submit a PR if you like but wanted to know if there's a reason first. Thanks!

Hi, I'm trying to use this module but I'm getting this warning:

==> default: Warning: Unknown variable: 'ca_cert::params::ca_file_mode'. (file: /tmp/vagrant-puppet/modules-5969917fa1f28d507ab8e53efe5f6d64/ca_cert/manifests/ca.pp, line: 42, column: 36)

Possible fix:
0001-fixed-issue-with-undefined-variable-assignment.patch.gz

Looking at this line: https://github.com/pcfens/puppet-ca_cert/blob/e6bc6b004bc167df430cf949fc29cceadf04cb23/manifests/init.pp#L82 the package name appears to be hard coded. On SLES 11 there is no package called ca-certificates. Its openssl-certs (as per your params.pp file). Shouldn't the line use the package_name variable and NOT the hardcoded package name?

When I remove a cert (setting ensure: absent), it needs to run update-ca-certs. I am not sure what "they" did exactly, but when they renewed our corpCA, I thought I could just add the new one in, and everything would work as it is supposed to, but today (Sunday, Valentines Day) I am working because all our Linux hosts cannot authenticate :) They are all using the old CA cert to validate the ldap cert... hmmm ... so when I removed it to test (by hand), everything started working on that host. I set it absent in puppet, but it did not run update-ca-certs, so no dice again. I can manually run that command through bolt/task exec, but I shouldn't need to, right?

Tommy

Please bump stdlib to < 7.0.0 as current won't work with latest releases

When any CAs are passed via ca_cert::ca_certs and ca_cert::install_package is set to false, the module throws the following compilation error:

Puppet::Error: Could not find resource 'Package[ca-certificates]' in parameter 'require'

Looking at the source code, it appears that the package is only declared if that toggle is set to true, but if any ca_certs are passed in it will require that package anyways.

This https://github.com/pcfens/puppet-ca_cert/blob/9b4eb980c8c4419d629d0d0e5c95097624d84344/manifests/init.pp#L58 creates dependency cycles. I guess Class['::ca_cert'] -> should be Package[$package_name] instead.

Also it would be better to move it to the already existing conditional block starting at line 76

Hi

Thx for the great module very useful.
There is support for hiera syntax?

In our case we need to use the proxy while downloading the certificates. remote_file fails gives tiemouts.

I implemented an ugly patch so we can pass "proxy" when using ca_cert::ca, but I guess that you would like to implemnt it in a way it supports the same proxy-related parameters than remote_file.

The remote_file type provides several proxy-related parameters. You should choose between specifying proxy or specifying proxy_host and proxy_port. The following two examples are equivalent.

I can create a PR in case you don't want to implement more than the plain "proxy" way of defining a proxy in remote_file.

SLES 11 Servers will ensure the package openssl-certs is present when $package_ensure == present or $package_ensure == installed. This will break the requires in ca.pp for require => Package['ca-certificates'], when $adjusted_ensure == 'present', 'trusted', 'distrusted'

I have multiple Scientific Linux 6 server where the ca_cert module is failing on Exec[enable_ca_trust] because of local modifications that necessitated doing a update-ca-trust force-enable. I manually ran update-ca-trust force-enable and then ran puppet agent -t. This time there was no error, but nothing happened. I verified that the certificate had not been deployed (by doing curl to an internal server using a certificate signed by my CA) even though the certificate file was installed in /etc/pki/ca-trust/source/anchors. I then removed the certificate from /etc/pki/ca-trust/source/anchors and ran puppet agent -t again. This time the certificate was successfully deployed.

On the Forge site, your module has two release tags (0.1.0 and 0.1.1). There are no tags in the GitHub repo. One would need to refer to a specific git commit hash to lock in to a point in time.

Can you please add the same tags here?

Thanks

Hi,

Some VM's we provision do not have wget installed on the system (in our case Vagrant centos/7 box from HashiCorp.).
I was thinking about installing wget before provisioning but I can't since the CA certificate is not installed yet (which makes sense because this module is supposed to do this job).
Since our system has curl installed I think it would be great if the module could allow the use of curl.
I was thinking about adding a download_with parameter that could allow wget and curl (which defaults to 'wget' to not break the current version).

I can work a bit on it and I can suggest a pull request if you guys agree with my feature request.

Thank's a lot.

RHEL5 only needs a .PEM style certificate located in /etc/pki/tls/certs and then c_rehash run after the certificate is copied.

This should be an easy addition but unfortunately, the init.pp module appends '.crt' to the end of every certificate file name. '.pem' is required for proper certificate rehashing and modifying the code will create backwards compatibility issues.

Thoughts?

The enable_ca_trust resource actually updates the cacerts on every puppet run on EL7 systems.

The resource uses unless => update-ca-trust check | grep DISABLED here

update-ca-trust check isn't a thing on EL7 and all arguments are silently ignored. The command is a really simple bash script. (The EL6 version is much more complicated.)

[root@host~]# cat `which update-ca-trust`
#!/bin/sh

#set -vx

# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.

DEST=/etc/pki/ca-trust/extracted

# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --comment --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
[root@host ~]#

The end result is that on every puppet run the cacerts file is silently regenerated. This is quite annoying if you're using a file integrity tool like tripwire/ossec etc.

When setting the purge_unmanaged_CAs flag to true, the managed CA files are deleted and re-downloaded which is a waste of resources.

Here is an example

% cat ca_purge.pp
class { 'ca_cert':
  purge_unmanaged_CAs => true,
}
ca_cert::ca { 'globalsign_org_intermediate':
  source => 'http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt',
}

% sudo puppet apply  --modulepath=. ca_purge.pp
Notice: Compiled catalog for samk.acme.com in environment production in 4.28 seconds
Notice: /Stage[main]/Ca_cert/File[/usr/local/share/ca-certificates/globalsign_org_intermediate.crt]/ensure: removed
Notice: /Stage[main]/Main/Ca_cert::Ca[globalsign_org_intermediate]/Exec[get_globalsign_org_intermediate.crt]/returns: executed successfully
Notice: /Stage[main]/Ca_cert::Update/Exec[ca_cert_update]: Triggered 'refresh' from 2 events
Notice: Finished catalog run in 5.64 seconds

In the above example, the file /usr/local/share/ca-certificates/globalsign_org_intermediate.crt should not be removed because it is a managed CA.

• The issue only occurs when the CA file is retrieved by an "exec resource". Sources like 'ftp', 'http' and 'https' are affected.
• The issue does not occur when the CA file is retrieved with the "file resource" (like 'file', 'puppet' or 'text') because Puppet becomes aware of the existence of these files and prevents them to be purged.

I suggest a solution: add the line file {$ca_cert: replace => false } when the file is created by exec so Puppet becomes aware of this file and does not purge it.

Hi,

Could you please support Deferred for the ca_text parameter?

Kind regards,
David

Thanks for the module. On CentOS 6.6, looks like update-ca-trust extract will fail yet exit 0:

$ update-ca-trust extract; echo $?
update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state
0

$ update-ca-trust enable

$ update-ca-trust extract; echo $?
0

Do you have any plans to update your module soon? If not, I'll fork and submit a patch. Thanks again.

Hi,
Is it possible to update module with a new tag for Puppet 8x support ?

In my testing env I have changed this in params.pp :
- case $::osfamily {
+ case $facts['os']['family'] {
- fail("Unsupported osfamily (${::osfamily})")
+ fail("Unsupported osfamily (${facts['os']['family']})")

Thanks

Hello, I am seeing the following error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Syntax error at 'Boolean'; expected ')' at /etc/puppet/modules/ca_cert/manifests/init.pp:40 on node (node name redacted)

The code I am using to invoke is:

  ca_cert::ca { 'CA':
    ensure => 'trusted',
    source => 'puppet:///modules/mymodule/my-ca.crt',
  }

My versions:

• puppet-ca_cert (this repo) Release 2.1.1
• Puppet 3.8.5, from Ubuntu repository
• Ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

After upgrading my PE master to v2016.5.1 I'm consistently seeing the following error on puppet runs using ca_cert v1.6.1:
Could not retrieve catalog from remote server: Error 500 on SERVER: {"message":"Server Error: Invalid relationship: File[Wisconsin-State-Legislature-Issuing-CA.crt] { require => Package[ca-certificates] }, because Package[ca-certificates] doesn't seem to be in the catalog","issue_kind":"RUNTIME_ERROR"}

The package in question 'ca-certificates' is already installed on the node (Ubuntu 14.04). Please let me know if there's any additional info you'd like.

As ca_cert::ca notifies ca_cert::update, it should probably include it.
If not, manifests using ca_cert::ca will have to explicitly include ca_cert::update.

Since upgrading to version 2.1.1 from 2.1.0 I'm seeing a dependency cycle for my (only) ca_certs entry:

Error: Found 1 dependency cycle:
(File[cert_name.crt] => Ca_cert::Ca[cert_name] => Class[Ca_cert] => Ca_cert::Ca[cert_name] => File[cert_name.crt])

The class is included via ENC with the following parameters:

ca_cert:
    ca_certs:
        cert_name:
            ensure: 'trusted'
            source: 'puppet:///modules/mymodule/certs/ca-root.pem'

Reverting back to 2.1.0 solved the problem.

Hi

We use your puppet module in our environment and get an error with the newest version.

Error: Failed to apply catalog: Could not find dependency Package[ca-certificates] for File[our_root_ca.crt] at /etc/puppet/environments/KT_puppet_13/modules/ca_cert/manifests/ca.pp:102

The package ca-certificates is available yum info ca-certificates Loaded plugins: langpacks, product-id, rhnplugin, search-disabled-repos, subscription-manager This system is not registered with RHN Classic or Red Hat Satellite. You can use rhn_register to register. Red Hat Satellite or RHN Classic support will be disabled. Installed Packages Name : ca-certificates Arch : noarch Version : 2015.2.6 Release : 70.1.el7_2 Size : 1.1 M Repo : installed From repo : rhel-7-server-rpms Summary : The Mozilla CA root certificate bundle URL : http://www.mozilla.org/ License : Public Domain Description : This package contains the set of CA certificates chosen by the : Mozilla Foundation for use with the Internet PKI

and installed on all systems.

OS is RHEL 7.

What are you seeing

When trying to distrust a ca ( ie. /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt ) this module ends up trying to ensure absent on a locally added ca.

What behaviour did you expect instead

I'm expecting ensure present/absent to add/remove local ca's and distrust to remove distro/package provided ca's.

Distrusting ca on Debian is done by prepending '!' to ca's in /etc/ca-certificates.conf

On RHEL 6.9 systems (and probably others), the update-ca-trust enable-step fails with the error Legacy CA bundle files aren't in the default state, they have been modified.; pointing to changes in /etc/pki/ca-trust/source/anchors. The issue is that this module updates the permissions of this directory from their default 0755 to 0555, causing the run to fail.

The issue can be fixed by keeping the directory permissions to their default state or using force-enable. The former would be preferred.

The issue is not present on RHEL 7.4 systems.

Some people may want to add their CA certificates as a string, rather than a file/URL. It would be awesome if this module could handle either approach.

Cheers,
Nick