Bug 1136542

Summary: RHEL7 Puppetmaster unable to sign certificates for RHEL5 clients
Product: Red Hat Satellite Reporter: Mike McCune <mmccune>
Component: Configuration ManagementAssignee: Stephen Benjamin <stbenjam>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.4CC: bbuckingham, bhamrick, bkearney, cperry, dcleal, jmontleo, jpazdziora, michele, omaciel, riehecky, xdmoon
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-22 15:22:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1115190    

Description Mike McCune 2014-09-02 20:00:58 UTC 
During %post in the provisioning of a RHEL5 based system the puppet agent will fail to start and register correctly, you are left with:

# /usr/bin/puppet agent -v --config /etc/puppet/puppet.conf -o --tags no_such_tag --server qeblade35.rhq.lab.eng.bos.redhat.com --no-daemonize
Exiting; no certificate found and waitforcert is disabled

On the Puppetmaster if you try and sign it manually you get:


# puppet cert sign --digest SHA1 qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Error: unknown message digest algorithm

This appears to be a result of the rhel5 puppet agent using an incompatible digest when signing the request.
Comment 1 RHEL Program Management 2014-09-02 20:02:57 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Stephen Benjamin 2014-09-02 20:11:44 UTC 
Puppet 2.7 signs certificates requests using MD5:
  https://github.com/puppetlabs/puppet/blob/2.7.26/lib/puppet/ssl/certificate_request.rb#L71

This is hard coded, and there doesn't seem to be any way to change this on the client (although puppet agent --digest option would lead you to believe otherwise).

Puppetmaster on at least el7 won't sign MD5 signed CSR's.  We probably need to test el6.


We could patch the el5sat to use SHA256 which actually works just fine:
Line 71:    csr.sign(key, OpenSSL::Digest::SHA256.new)


[root@qeblade35 requests]# puppet cert --list
  "qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com" (SHA256) 40:48:17:37:9C:16:E1:0B:24:4C:BF:01:3B:40:5D:CD:01:7C:4A:24:83:86:9B:C5:4C:3D:AA:9B:20:06:86:44

[root@qeblade35 requests]# puppet cert --sign qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Notice: Signed certificate request for qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Notice: Removing file Puppet::SSL::CertificateRequest qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com at '/var/lib/puppet/ssl/ca/requests/qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com.pem'
Comment 4 Stephen Benjamin 2014-09-02 20:19:54 UTC 
(Or just upgrade to Puppet 3.6 on RHEL 5, like we have on RHEL 6 & 7)
Comment 7 Mike McCune 2014-09-02 21:19:17 UTC 
This doesn't occur if the Capsule(Puppetmaster) is running on RHEL6
Comment 9 Jason Montleon 2014-09-02 21:36:31 UTC 
My understanding is puppet > 2.7 requires ruby 1.8.7 or better. As RHEL 5 ships with 1.8.5 puppet provides a RHEL 5 ruby 1.8.7 build for newer versions of their client to run, but I don't think we can or should do this as part of Satellite.

See http://yum.puppetlabs.com/el/5Server/dependencies/x86_64/
Comment 11 Stephen Benjamin 2014-09-03 10:28:27 UTC 
I don't know if PL will take it, but I submitted an PR upstream:
  https://github.com/puppetlabs/puppet/pull/3046

Would prefer not to change the system ruby, I think we all agree on that?

Fixing 2.7 is probably our best bet. Talked to Dominic today and he said it was also probably OK to change.
Comment 18 Bryan Kearney 2014-09-17 12:32:49 UTC 
moving to MODIFIED to put into the errata.
Comment 22 Og Maciel 2014-09-19 22:04:35 UTC 
VERIFIED
Comment 24 errata-xmlrpc 2014-09-22 15:22:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1280.html
Comment 25 Xixi 2014-09-23 03:15:15 UTC 
> http://rhn.redhat.com/errata/RHBA-2014-1280.html
Correct URL: https://access.redhat.com/errata/RHBA-2014:1280