Open hggh opened 7 years ago
Thanks for the heads up! Also note the issue I made regarding constraints that shows a similar problem/behavior: https://github.com/jruby/jruby/issues/3502
Something is broken with openssl in jruby or we're using it wrong....
Also related https://github.com/jruby/jruby-openssl/issues/102
So in the past 3 years jruby got a bit better and SANs and authorityKeyIdentifier are working. Though nameconstraints are still an issue.
However nameconstraints are only an issue when a CA is initially created and you can do that manually once outside of puppetserver (and thus jruby) if you want to use nameconstraints. Example:
require 'trocla'
puts Trocla.new.password('my-ca','x509',
'CN' => 'my-ca',
'profiles' => ['x509veryverylong' ],
'name_constraints' => ['example.ch','example2.ch'],
'become_ca' => true,
'render' => { 'certonly' => true },
)
/opt/puppetlabs/puppet/bin/ruby myfile.rb
This will create a CA with proper extensions.
This is not a real trocla issue, this issue only applies if you are using Trocla with Puppet Server.
PuppetServer uses Jruby 1.7 (PuppetLabs has custom patches for jruby):
if you are using the x509 format option of trocla, trocla can generate new SSL certificates but this certificates are not valid:
(the error message is from bareos)
openssl x509 -in bar.crt -noout -text
Please note the dots before the Subject Alternative Name Value, this is a bug. Our SAN was "foobar.example.com" without the prefix dots, also the Authority Key Identifier is broken.
There is a open bug on Jruby: https://github.com/jruby/jruby/issues/994
A quick workaround is only to remove the create_extention lines of "subjectAltName" and "authorityKeyIdentifier" inside the file formats/x509.rb.
but if you use alternative Names, this workaround breaks your certificates.