Bug 1149833 - RHEL7 Puppetmaster unable to sign certificates for RHEL5/6 clients
Summary: RHEL7 Puppetmaster unable to sign certificates for RHEL5/6 clients
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: puppet
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jeroen van Meeuwen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-06 17:17 UTC by Matt Summers
Modified: 2015-02-05 19:02 UTC (History)
13 users (show)

Fixed In Version: puppet-2.7.26-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-05 19:02:38 UTC
Type: Bug


Attachments (Terms of Use)
patch for md5 issue (2.61 KB, application/mbox)
2015-01-14 12:26 UTC, marianne@tuxette.fr
no flags Details

Description Matt Summers 2014-10-06 17:17:30 UTC
Description of problem:
The puppet client for el5 and el6 will generate client certificates for signing by the puppet master using the MD5 digest. The puppetmaster on epel7 is unable to sign these.
$ sudo puppet cert list
  "host.domain.com" (MD5) 00:DC:6B:7E:BD:63:B0:25:33:42:5D:5E:C5:DB:AC:84
$ sudo puppet cert sign host.domain.com
Error: unknown message digest algorithm

Version-Release number of selected component (if applicable):
el5 client: puppet-2.7.25-1.el5
el6 client: puppet-2.7.25-2.el6.noarch
el7 client: puppet-3.6.2-3.el7.noarch

How reproducible:
Every time

Steps to Reproduce:
1. on el5/6 server:
yum install puppet
service puppet once
2. on el7 puppet master
$ sudo puppet cert list
  "host.domain.com" (MD5) 02:B7:43:4A:18:95:6D:79:B2:47:08:4C:3D:A1:A3:86
$ sudo puppet cert sign host.domain.com

Actual results:
Error: unknown message digest algorithm

Expected results:
notice: Signed certificate request for host.domain.com
...

Additional info:
This error comes about because puppet 2.7 hardcodes the use of md5 digest for certificates, and puppet 3.6 excludes md5 so as to be fips compliant.

There is a ticket for this issue under the Red Hat Satelite project: https://bugzilla.redhat.com/show_bug.cgi?id=1136542

https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c3 gives a good summary of the problem

https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c11 links to a PR upstream which patches the el5/el6 client to sign with the best digest available. I can confirm that after patching el5 and el6 test systems, this problem no longer occurs.

Comment 1 Jacob Welsh 2014-12-19 21:50:19 UTC
Can we get the patch from the linked bug applied to the EPEL package please? Upstream is not going to take it as 2.7 is EOL.

Comment 2 marianne@tuxette.fr 2015-01-13 15:15:49 UTC
Can the patch be apply ? It's blocking for me at work

Comment 3 marianne@tuxette.fr 2015-01-14 12:26:14 UTC
Created attachment 979975 [details]
patch for md5 issue

Patch from https://github.com/puppetlabs/puppet/pull/3046

Comment 4 marianne@tuxette.fr 2015-01-14 12:26:53 UTC
Just made a scratch build with the patch applied https://github.com/puppetlabs/puppet/pull/3046

Comment 5 marianne@tuxette.fr 2015-01-14 12:31:30 UTC
http://koji.fedoraproject.org/koji/taskinfo?taskID=8615336 correct link for the scratch build

Comment 6 Fedora Update System 2015-01-19 13:41:05 UTC
puppet-2.7.26-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/puppet-2.7.26-2.el6

Comment 7 Fedora Update System 2015-01-24 18:44:25 UTC
Package puppet-2.7.26-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing puppet-2.7.26-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0362/puppet-2.7.26-2.el6
then log in and leave karma (feedback).

Comment 8 Matt Summers 2015-02-04 10:43:55 UTC
I can confirm that the testing package allows the full certificate submission and signing workflow to work properly with an el6 client (epel-testing puppet package) against an el7 server (epel packages).

Comment 9 Fedora Update System 2015-02-05 19:02:38 UTC
puppet-2.7.26-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.