Page MenuHomePhabricator
Create Task
Maniphest T273637

Puppet host certs do not contain Subject Alt Name entries
Closed, DeclinedPublic
Actions

Description

The upstream bug is here: https://tickets.puppetlabs.com/browse/SERVER-2338

This means the puppet certs are not compliant with modern standards. E.g. golang 1.15 no longer supports these certs by default. The workaround for go will disappear in future versions.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT294906 Puppet Improvements
 OpenjbondT313387 investigate state of puppet 7
 DeclinedNoneT273637 Puppet host certs do not contain Subject Alt Name entries

Event Timeline

Kormat created this task.Feb 2 2021, 4:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2021, 4:11 PM
jbond triaged this task as Medium priority.Feb 2 2021, 4:14 PM
jbond added projects: CAS-SSO, Puppet.
jbond added a project: User-jbond.Jun 1 2021, 2:55 PM
jbond moved this task from Unsorted 💣 to Back Burner 🏛️ on the User-jbond board.Jun 1 2021, 2:59 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
Kormat added a comment.Aug 18 2021, 2:54 PM

Golang 1.17 will remove support for the work-around: https://golang.org/doc/go1.16#crypto/x509

jbond added a comment.EditedAug 23 2021, 10:56 AM

@Kormat is this blocking something, currently there is no plan to fix this untill we upgrade to puppet server 6 (for which there is no timeline, package is still not building in Debian upstream). I would say that anything which needs SAN certificates should be migrated away from the puppet certs to the new pki service.

also noting here that we have implemented the workaround above in the cfssl::cert define

Kormat added a comment.Aug 23 2021, 12:19 PM

@jbond: Using the env var workaround for services works for the moment, so long as:

  • we're using upstream's binary and they compile it with golang < 1.17
  • we're compiling the binary ourselves and the source doesn't require golang 1.17

It gets painful for cmdline binaries, though. I guess you're stuck with moving the real binary out of $PATH, and putting in a wrapper script that sets the env var, so that all callers will have it set.
I'm currently compiling with go1.14 to avoid that mess, for now.

Kormat mentioned this in T289486: Move mariadb away from using puppet host certs.Aug 23 2021, 12:25 PM
jbond added a parent task: T294906: Puppet Improvements.Nov 3 2021, 11:38 AM
jbond mentioned this in T313387: investigate state of puppet 7.Jul 20 2022, 10:36 AM
jbond added a parent task: T313387: investigate state of puppet 7.
Aklapper removed jbond as the assignee of this task.Mar 21 2023, 9:30 AM
Aklapper added a subscriber: jbond.

@jbond: Removing task assignee as this open task has been assigned for more than two years - See the email sent to task assignee on Feburary 22nd, 2023.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

jhathaway added a subscriber: jhathaway.Mar 22 2023, 4:47 PM

@jbond this should be fixed, following the Puppet 7 upgrade. Do we have any way of noting post puppet 7 followup tasks?

jbond added a comment.Mar 22 2023, 4:50 PM

@jhathaway not currently but we could request a new tag or possibly a milestone. @Aklapper are you able to offer any advice on this, thanks?

jhathaway mentioned this in T298959: Upgrade dborch1001 to Bullseye.Mar 22 2023, 5:10 PM
Aklapper added a comment.Mar 22 2023, 9:42 PM
In T273637#8718626, @jbond wrote:

are you able to offer any advice on this, thanks?

See "Request a project" on the default https://phabricator.wikimedia.org front page

joanna_borun added a subscriber: joanna_borun.Jul 3 2023, 3:16 PM

It's going to be fixed with puppet 7 upgrade.

joanna_borun closed this task as Declined.Jul 3 2023, 3:16 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL