Description of problem: The puppet client for el5 and el6 will generate client certificates for signing by the puppet master using the MD5 digest. The puppetmaster on epel7 is unable to sign these. $ sudo puppet cert list "host.domain.com" (MD5) 00:DC:6B:7E:BD:63:B0:25:33:42:5D:5E:C5:DB:AC:84 $ sudo puppet cert sign host.domain.com Error: unknown message digest algorithm Version-Release number of selected component (if applicable): el5 client: puppet-2.7.25-1.el5 el6 client: puppet-2.7.25-2.el6.noarch el7 client: puppet-3.6.2-3.el7.noarch How reproducible: Every time Steps to Reproduce: 1. on el5/6 server: yum install puppet service puppet once 2. on el7 puppet master $ sudo puppet cert list "host.domain.com" (MD5) 02:B7:43:4A:18:95:6D:79:B2:47:08:4C:3D:A1:A3:86 $ sudo puppet cert sign host.domain.com Actual results: Error: unknown message digest algorithm Expected results: notice: Signed certificate request for host.domain.com ... Additional info: This error comes about because puppet 2.7 hardcodes the use of md5 digest for certificates, and puppet 3.6 excludes md5 so as to be fips compliant. There is a ticket for this issue under the Red Hat Satelite project: https://bugzilla.redhat.com/show_bug.cgi?id=1136542 https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c3 gives a good summary of the problem https://bugzilla.redhat.com/show_bug.cgi?id=1136542#c11 links to a PR upstream which patches the el5/el6 client to sign with the best digest available. I can confirm that after patching el5 and el6 test systems, this problem no longer occurs.
Can we get the patch from the linked bug applied to the EPEL package please? Upstream is not going to take it as 2.7 is EOL.
Can the patch be apply ? It's blocking for me at work
Created attachment 979975 [details] patch for md5 issue Patch from https://github.com/puppetlabs/puppet/pull/3046
Just made a scratch build with the patch applied https://github.com/puppetlabs/puppet/pull/3046
http://koji.fedoraproject.org/koji/taskinfo?taskID=8615336 correct link for the scratch build
puppet-2.7.26-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/puppet-2.7.26-2.el6
Package puppet-2.7.26-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing puppet-2.7.26-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0362/puppet-2.7.26-2.el6 then log in and leave karma (feedback).
I can confirm that the testing package allows the full certificate submission and signing workflow to work properly with an el6 client (epel-testing puppet package) against an el7 server (epel packages).
puppet-2.7.26-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.