search

voxpupuli / puppet-archive

Compressed archive file download and extraction with native types/providers for Windows and Unix
https://forge.puppet.com/puppet/archive
Apache License 2.0
60 stars 176 forks source link

Download fails when host cert is signed by private CA #400

Open BrianSipos opened 4 years ago

BrianSipos commented 4 years ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

Use an archive resource with a "source" URL of a host with HTTPS certificate signed through a private CA chain. The operating system (Windows 10) has the private root and and intermediate CAs trusted at the operating system level.

What are you seeing

The pupet agent gives an error about not being able to validate the host certificate.

What behaviour did you expect instead

The puppet agent should use the OS-level CA trust to validate the host cert.

BrianSipos commented 4 years ago

A workaround is to set "allow_insecure => true" but this defeats the authentication of TLS.

Mystakill commented 2 years ago

"allow_insecure => true" also doesn't work when the endpoint being connected to is enforcing SSL/TLS for requestor authentication & enforcing permissions. That makes this a non-starter for us, as all of the hosts in our enterprise do this. We need a way to specify the certificate & key .pem files, and either (preferably) a capath containing all of the certificate authority certs, or a cacert file contain all of the authority certs combined.

kenyon commented 4 hours ago

See also: #188