search

voxpupuli / puppet-openssl

Puppet OpenSSL module
Apache License 2.0
38 stars 84 forks source link

Release 3.0.0 broken #178

Closed rtib closed 5 months ago

rtib commented 7 months ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

Using the following snippet:

openssl::certificate::x509 { 'testcert':
  ensure => present,
  country => 'DE',
  organization => 'TEST',
  commonname => 'test.example.org',
}

What are you seeing

Puppet agent is failing with:

Info: Openssl::Config[/etc/ssl/certs/testcert.cnf]: Scheduling refresh of X509_request[/etc/ssl/certs/testcert.csr]
Error: Execution of '/usr/bin/openssl req -new -key /etc/ssl/certs/testcert.key -config /etc/ssl/certs/testcert.cnf -out /etc/ssl/certs/testcert.csr' returned 1: Error Loading request extension section v3_req
140719119750464:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:../crypto/x509v3/v3_utl.c:386:
140719119750464:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=extendedKeyUsage,section=
140719119750464:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value=
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_request[/etc/ssl/certs/testcert.csr]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/bin/openssl req -new -key /etc/ssl/certs/testcert.key -config /etc/ssl/certs/testcert.cnf -out /etc/ssl/certs/testcert.csr' returned 1: Error Loading request extension section v3_req
140719119750464:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:../crypto/x509v3/v3_utl.c:386:
140719119750464:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=extendedKeyUsage,section=
140719119750464:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value= (corrective)
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_request[/etc/ssl/certs/testcert.csr]: Failed to call refresh: Execution of '/usr/bin/openssl req -new -key /etc/ssl/certs/testcert.key -config /etc/ssl/certs/testcert.cnf -out /etc/ssl/certs/testcert.csr' returned 1: Error Loading request extension section v3_req
140483347924288:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:../crypto/x509v3/v3_utl.c:386:
140483347924288:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=extendedKeyUsage,section=
140483347924288:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value=
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_request[/etc/ssl/certs/testcert.csr]: Execution of '/usr/bin/openssl req -new -key /etc/ssl/certs/testcert.key -config /etc/ssl/certs/testcert.cnf -out /etc/ssl/certs/testcert.csr' returned 1: Error Loading request extension section v3_req
140483347924288:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:../crypto/x509v3/v3_utl.c:386:
140483347924288:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=extendedKeyUsage,section=
140483347924288:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value=

Which is caused by a faulty config file:

$ sudo cat /etc/ssl/certs/testcert.cnf

# file managed by puppet
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 4096
default_md              = sha512
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no

# extensions
req_extensions     = v3_req

[ req_distinguished_name ]
countryName                     = DE
organizationName                = TEST
commonName                      = test.example.org

[ v3_req ]
extendedKeyUsage  =
subjectAltName    = @alt_names
[ alt_names ]

The config template obviously failed to detect extkeyusage and altnames being empty.

What behaviour did you expect instead

With 2.0.1 this was running flawless, creating the CSR and self-signed CRT.

Any additional information you'd like to impart

Adding values to the failed parameters:

openssl::certificate::x509 { 'testcert':
  ensure => present,
  country => 'DE',
  organization => 'TEST',
  commonname => 'test.example.org',
  altnames => ['test.example.org'],
  extkeyusage => ['clientAuth'],
}

is creating a correct config able to generate the CSR, but end up with

Info: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_request[/etc/ssl/certs/testcert.csr]: Scheduling refresh of X509_cert[/etc/ssl/certs/testcert.crt]
Error: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/testcert.csr -out /etc/ssl/certs/testcert.crt -extfile /etc/ssl/certs/testcert.cnf -extensions v3_req' returned 1: We need a private key to sign with
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_cert[/etc/ssl/certs/testcert.crt]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/testcert.csr -out /etc/ssl/certs/testcert.crt -extfile /etc/ssl/certs/testcert.cnf -extensions v3_req' returned 1: We need a private key to sign with
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_cert[/etc/ssl/certs/testcert.crt]: Failed to call refresh: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/testcert.csr -out /etc/ssl/certs/testcert.crt -extfile /etc/ssl/certs/testcert.cnf -extensions v3_req' returned 1: We need a private key to sign with
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[testcert]/X509_cert[/etc/ssl/certs/testcert.crt]: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/testcert.csr -out /etc/ssl/certs/testcert.crt -extfile /etc/ssl/certs/testcert.cnf -extensions v3_req' returned 1: We need a private key to sign with

Which is failing due to missing reference to the keyfile in the command line.

rtib commented 5 months ago

Is there a timeline known when this could get fixed and released?

zilchms commented 5 months ago

I can try to take a look later this week