Bug 1149833

Summary: RHEL7 Puppetmaster unable to sign certificates for RHEL5/6 clients
Product: [Fedora] Fedora EPEL Reporter: Matt Summers <devopsmatt>
Component: puppetAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: dcleal, fedora, jose.p.oliveira.oss, jwelsh-rhbz, k.georgiou, ktdreyer, marianne, mastahnke, mmagr, moses, s, tmz, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-2.7.26-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-05 19:02:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for md5 issue none

Description Matt Summers 2014-10-06 17:17:30 UTC 
Description of problem:
The puppet client for el5 and el6 will generate client certificates for signing by the puppet master using the MD5 digest. The puppetmaster on epel7 is unable to sign these.
$ sudo puppet cert list
  "host.domain.com" (MD5) 00:DC:6B:7E:BD:63:B0:25:33:42:5D:5E:C5:DB:AC:84
$ sudo puppet cert sign host.domain.com
Error: unknown message digest algorithm

Version-Release number of selected component (if applicable):
el5 client: puppet-2.7.25-1.el5
el6 client: puppet-2.7.25-2.el6.noarch
el7 client: puppet-3.6.2-3.el7.noarch

How reproducible:
Every time

Steps to Reproduce:
1. on el5/6 server:
yum install puppet
service puppet once
2. on el7 puppet master
$ sudo puppet cert list
  "host.domain.com" (MD5) 02:B7:43:4A:18:95:6D:79:B2:47:08:4C:3D:A1:A3:86
$ sudo puppet cert sign host.domain.com

Actual results:
Error: unknown message digest algorithm

Expected results:
notice: Signed certificate request for host.domain.com
...

Additional info:
This error comes about because puppet 2.7 hardcodes the use of md5 digest for certificates, and puppet 3.6 excludes md5 so as to be fips compliant.

There is a ticket for this issue under the Red Hat Satelite project: https://bugzilla.redhat.com/show_bug.cgi?id=1136542

https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c3 gives a good summary of the problem

https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c11 links to a PR upstream which patches the el5/el6 client to sign with the best digest available. I can confirm that after patching el5 and el6 test systems, this problem no longer occurs.
Comment 1 Jacob Welsh 2014-12-19 21:50:19 UTC 
Can we get the patch from the linked bug applied to the EPEL package please? Upstream is not going to take it as 2.7 is EOL.
Comment 2 marianne@tuxette.fr 2015-01-13 15:15:49 UTC 
Can the patch be apply ? It's blocking for me at work
Comment 3 marianne@tuxette.fr 2015-01-14 12:26:14 UTC 
Created attachment 979975 [details]
patch for md5 issue

Patch from https://github.com/puppetlabs/puppet/pull/3046
Comment 4 marianne@tuxette.fr 2015-01-14 12:26:53 UTC 
Just made a scratch build with the patch applied https://github.com/puppetlabs/puppet/pull/3046
Comment 5 marianne@tuxette.fr 2015-01-14 12:31:30 UTC 
http://koji.fedoraproject.org/koji/taskinfo?taskID=8615336 correct link for the scratch build
Comment 6 Fedora Update System 2015-01-19 13:41:05 UTC 
puppet-2.7.26-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/puppet-2.7.26-2.el6
Comment 7 Fedora Update System 2015-01-24 18:44:25 UTC 
Package puppet-2.7.26-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing puppet-2.7.26-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0362/puppet-2.7.26-2.el6
then log in and leave karma (feedback).
Comment 8 Matt Summers 2015-02-04 10:43:55 UTC 
I can confirm that the testing package allows the full certificate submission and signing workflow to work properly with an el6 client (epel-testing puppet package) against an el7 server (epel packages).
Comment 9 Fedora Update System 2015-02-05 19:02:38 UTC 
puppet-2.7.26-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.