search

duritong / trocla

A password store for password creation and retrieval
Other
75 stars 18 forks source link

x509 format - PuppetServer (Jruby) - SSL certificate not valid #40

Open hggh opened 7 years ago

hggh commented 7 years ago

This is not a real trocla issue, this issue only applies if you are using Trocla with Puppet Server.

PuppetServer uses Jruby 1.7 (PuppetLabs has custom patches for jruby):

bin/puppetserver ruby --version
jruby 1.7.26 (1.9.3p551) 2016-08-26 69763b8 on OpenJDK 64-Bit Server VM 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14 +jit [linux-amd64]

if you are using the x509 format option of trocla, trocla can generate new SSL certificates but this certificates are not valid:

(50): crypto_openssl.c:1485-0 jcr=7f8ddc001078 Connect failure: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

(the error message is from bareos)

openssl x509 -in bar.crt -noout -text

        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3F:DD:D6:60:41:3D:44:6A:4F:71:C2:EC:8D:91:A1:45:4E:4F:72:CD
            X509v3 Subject Alternative Name: critical
                ..foobar.example.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Authority Key Identifier: 
                0...?..`A=DjOq.....ENOr.
    Signature Algorithm: sha256WithRSAEncryption

Please note the dots before the Subject Alternative Name Value, this is a bug. Our SAN was "foobar.example.com" without the prefix dots, also the Authority Key Identifier is broken.

There is a open bug on Jruby: https://github.com/jruby/jruby/issues/994

A quick workaround is only to remove the create_extention lines of "subjectAltName" and "authorityKeyIdentifier" inside the file formats/x509.rb.

but if you use alternative Names, this workaround breaks your certificates.

duritong commented 7 years ago

Thanks for the heads up! Also note the issue I made regarding constraints that shows a similar problem/behavior: https://github.com/jruby/jruby/issues/3502

Something is broken with openssl in jruby or we're using it wrong....

duritong commented 7 years ago

Also related https://github.com/jruby/jruby-openssl/issues/102

duritong commented 4 years ago

So in the past 3 years jruby got a bit better and SANs and authorityKeyIdentifier are working. Though nameconstraints are still an issue.

However nameconstraints are only an issue when a CA is initially created and you can do that manually once outside of puppetserver (and thus jruby) if you want to use nameconstraints. Example:

require 'trocla'

puts Trocla.new.password('my-ca','x509',
  'CN'        => 'my-ca',
  'profiles'  => ['x509veryverylong' ],
  'name_constraints' => ['example.ch','example2.ch'],
  'become_ca' => true,
  'render' => { 'certonly' => true },
)

/opt/puppetlabs/puppet/bin/ruby myfile.rb

This will create a CA with proper extensions.