Page MenuHomePhabricator

Puppet host certs do not contain Subject Alt Name entries
Open, MediumPublic

Description

The upstream bug is here: https://tickets.puppetlabs.com/browse/SERVER-2338

This means the puppet certs are not compliant with modern standards. E.g. golang 1.15 no longer supports these certs by default. The workaround for go will disappear in future versions.

Event Timeline

jbond triaged this task as Medium priority.Feb 2 2021, 4:14 PM
jbond added projects: CAS-SSO, Puppet.

@Kormat is this blocking something, currently there is no plan to fix this untill we upgrade to puppet server 6 (for which there is no timeline, package is still not building in Debian upstream). I would say that anything which needs SAN certificates should be migrated away from the puppet certs to the new pki service.

also noting here that we have implemented the workaround above in the cfssl::cert define

@jbond: Using the env var workaround for services works for the moment, so long as:

  • we're using upstream's binary and they compile it with golang < 1.17
  • we're compiling the binary ourselves and the source doesn't require golang 1.17

It gets painful for cmdline binaries, though. I guess you're stuck with moving the real binary out of $PATH, and putting in a wrapper script that sets the env var, so that all callers will have it set.
I'm currently compiling with go1.14 to avoid that mess, for now.